SAP Security Patch Day – May 2024
Find recent Security Advisories for SAP©
Looking at the fifth SAP Security Patch Day of the year, the imperative for maintaining robust security measures remains paramount. Once again, SAP has released a series of security patches, prompting a closer examination of the key highlights. This time, the update comprises a set of 15 notes. In today’s digital landscape, it’s a narrative we’re all too familiar with – headlines dominated by reports of data breaches, ransomware attacks, and other cyber threats that loom over organizations. Frequently, these incidents share a common vulnerability: unpatched systems, which represent a significant chink in the armor against such threats.
These recurring headlines underscore the indispensable nature of patch management in IT security. It’s a responsibility that organizations cannot afford to delay or neglect. The consequences of overlooking this vital component of security infrastructure are evident from numerous high-profile real-world examples.
At SecurityBridge, we understand the crucial importance of patch management and the challenges it poses for organizations. That’s why our Patch Management solution is designed to assist, offering invaluable insights into existing patching gaps within SAP landscapes. Moreover, it enables organizations to assess the potential impacts of specific patches proactively, providing a comprehensive overview of patching status across the entire landscape, even before implementation.
SAP Security Patches May 2024
For May 2024, 13 new Security Notes have been released and 2 have been updated. We will first go into the ‘HotNews’ notes and highlight other key points below.
HotNews
In this release, 2 notes have ‘HotNews’ priority which refers to the CVSS score being 9.0 or higher. SAP note 3455438 is about SAP CX Commerce and actually bundles 2 vulnerabilities: CVE-2019-17495 and CVE-2022-36364. Interestingly, these CVE’s are pretty old and looking at the note, they got introduced in SAP CX Commerce via the use of other libraries. In this case Swagger UI and Apache Calcite Avatica. Solving the vulnerability is done simply by patching the HY_COM component. But it goes to show how easily known vulnerabilities can find their way back in…
In our April blog post, we briefly discussed the importance of secure file integration and the risk of not doing this properly. In this months release, we again have a ‘nice’ example of such a vulnerability. SAP note 3448171 describes how a malicious file can be uploaded to the SAP Content Server which can cause serious damage when the file is accessed at a later stage. The default settings have been changed by SAP in the provided fixes. However: note that the fix is only relevant for new installations but for existing installations, the described corrections need to be done manually. So take action here for these repositories!
Cross Site Scripting (XSS) vulnerabilities
Cross Site Scripting (XSS) attacks are a common type of attack where malicious scripts are injected that compromise the interaction between users and a web application. There are many examples around and also this month, there are 4 more for various SAP applications: SAP note 3431794, 3448445, 3460772 and 3450286. These range from priority ‘High’ to ‘Medium’. There are no workarounds here, simply patch the relevant components!
Notes with 'Medium' to 'Low' priority
SAP note 3446076 describes a vulnerability of the ‘PDFViewer’ that is a part of SAPUI5. A script may get executed within a PDF that causes a potential threat. This client-side script execution can be further controlled with the newly introduced property ‘isTrustedSource’. The property may have an affect on the user experience as well. Review where relevant.
The other notes of this months release have a ‘Medium’ to ‘Low’ priority and concern vulnerabilities like missing authorization checks, potential information disclosures and SQL injections. The main message is simple: take all these vulnerabilites seriously and patch!
SAP Security Notes May 2024Highlights
HotNews and XSS vulnerabilites.
Summary by Severity
The May release contains a total of 15 patches for the following severities:
Severity | Number | Hot News | 2 |
---|---|
High | 1 |
Medium | 10 |
Low | 2 |