SAP Security Patch Day - September 2024
What is the most important day of the month for a SAP security professional? Arguably, it is SAP Security Patch Day! You know, that infamous second Tuesday of the month when SAP releases its latest run of SAP security patches. For many, it marks the start of a lengthy manual analysis and implementation of changes in the SAP landscape. All to make sure that all vulnerabilities are mitigated as soon as possible. And rightly so! Patch management is of the utmost importance to prevent cyber attacks that can exploit known security issues and cause serious damage.
At SecurityBridge, we are all too familiar with the challenges that come with patch management. As easy as it may sound, in an SAP landscape, it is not. Time and time again, it proves to be a complex process that requires meticulous research and serious efforts to get it right. The SecurityBridge Patch Management solution greatly helps to create insight into missing patches across an SAP landscape and provides essential functionalities to handle patch management effectively, like automatic implementation and impact analysis.
SAP Security Patches September 2024
For this month, we see 16 new Security Notes and 3 that have been updated. See below for the highlights.
Updated security notes
HotNews note 3479478 was first released last month in August and got some important updates:
- The vulnerability is only valid for web application servers where biprws is deployed but also valid for version 420 of the Business Objects platform.
- There is a workaround available now to temporarily fix the issue. Of course: it is recommended to apply the relevant patches.
Take note of above changes if applicable, this vulnerability gives way to a complete compromise of your system (CVSS 9.8)!
For note 3459935 (CVSS 7.4), only the solution information has been updated. In short: you’ll need 2211.28 instead of 2211.27 to fix the issue on SAP Commerce Cloud. A small, but important update if you think you’re safe with the previous version…
The update for note 3495876 (CVSS 6.5) is actually quite minimal and only refers to an additional cleanup of files after patching, see the note for more information.
New security notes
Many of the newly released notes are quite straightforward and simply require customers to apply the update where applicable. Some highlights are:
- Note 3430336 describes a vulnerability for the BREACH attack. Consider the patches mentioned in the note AND implement the XorCsrfTokenRequestAttributeHandler token for custom web applications.
- Note 3488039 is about multiple vulnerabilities in the SAP_BASIS layer with a medium category: CVSS 4.3-5.4. Note there is a workaround as well by adapting object S_RFC.
SAP Security Notes September 2024
Highlights
Many 'Medium' to 'Low' priority notes. Make sure to review the updated notes with 'High' and 'HotNews' priority to ensure systems are still safe.
Summary by Severity
The September release contains a total of 19 patches for the following severities:
| Severity | Number | Hot News | 1 |
|---|---|
High | 1 |
Medium | 14 |
Low | 3 |
