Share
Beitragsbild zu SAP Patch Day: April 2024

SAP Patch Day: April 2024

Missing Password Requirements Check in SAP NetWeaver AS Java UME poses Confidentiality at High Risk

Highlights of April SAP Security Notes analysis include:

  • April SummaryTwelve new and updated SAP security patches released, including three High Priority Notes
  • SAP NetWeaver AS Java UMEPassword requirements are not checked in some features
  • Onapsis Research Labs Contribution Our team supported SAP in patching a Server-Side Request Forgery in SAP NetWeaver AS Java

SAP has published twelve new and updated Security Notes in its April Patch Day. This includes three High Priority Notes.

The HighPriority Notes in Detail

SAP Security Note #3434839, tagged with a CVSS score of 8.8, patches a Security Misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine (UME). The ‘Self-Registration’ and ‘Modify your own profile’ features of the UME do not consider existing password requirements and therefore, allow using simple passwords that can be easily cracked. The two features are optional and disabled by default but can be individually enabled and configured by each customer. The title of the assigned vulnerability seems to be a little bit misleading since the vulnerability is not caused by a configuration issue but by a missing check in the program logic. Onapsis recommends implementing the note independently of whether one or both features are enabled or not. This ensures security once you decide to enable one of the features. Keeping the vulnerability unpatched can lead to high impact on the system’s confidentiality and low impact on integrity and availability.

SAP Security Note #3421384, tagged with a CVSS score of 7.7, describes and solves an Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence. The Excel Data Access Service suffers from insufficient validation checks while uploading excel files resulting in potentially malicious data being read. An exploit can have a high impact on the system’s confidentiality.

The third High Priority Note is SAP Security Note #3438234, tagged with a CVSS score of 7.2. The note patches a Directory Traversal vulnerability in two programs of SAP Asset Accounting. While the program RAALTE00 is just disabled by the patch, a verification of path information against logical file names is added to the second vulnerable report RAALTD01.

Contribution of the Onapsis Research Labs

The Onapsis Research Labs(ORL) supported SAP in patching a Server-Side Request Forgery vulnerability in the application tc~esi~esp~grmg~wshealthcheck~ear application of an SAP NetWeaver AS Java. The vulnerability, described in SAP Security Note #3425188 and tagged with a CVSS score of 5.3, can cause a low impact on the application’s confidentiality. The ORL detected that the application suffers from insufficient input validation allowing an unauthenticated attacker to send crafted requests from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible from the external network.

Summary and Conclusion

With only twelve SAP Security Notes, including three High Priority Notes, SAP’s April Patch Day belongs to the category of ‘calmer’ Patch Days. This is a perfect opportunity to check for any SAP Security Note of the last SAP Patch Days whose implementation is still pending.

SAP Note Type Description Priority CVSS
3434839 New [CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine
BC-JAS-SEC-UME
High 8,8
3421384 New [CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence
BI-RA-WBI
High 7,7
3438234 New [CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting
FI-AA-AA-A
High 7,2
3442741 New Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL)
LOD-HCI-PI-OP-NM
Medium 6,8
3442378 New [CVE-2024-28167] Missing Authorization check in SAP Group Reporting Data Collection (Enter Package Data)
FIN-CS-CDC-DC
Medium 6,5
3359778 New [CVE-2024-30218] Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform
BC-CST-DP
Medium 6,5
3164677 Update [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request)
PA-FIO-LEA
Medium 6,5
3156972 Update [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search)
MM-FIO-PUR-REQ-SSP
Medium 6,1
3425188 New [CVE-2024-27898] Server-Side Request Forgery in SAP NetWeaver (tc~esi~esp~grmg~wshealthcheck~ear)
BC-ESI-WS-JAV-RT
Medium 5,3
3421453 New [Multiple CVEs] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Connector
BC-MID-BUS
Medium 4,8
3430173 New [CVE-2024-30217] Missing Authorization check in SAP S/4 HANA (Cash Management)
FIN-FSCM-CLM-BAM
Medium 4,3
3427178 New [CVE-2024-30216] Missing Authorization check in SAP S/4 HANA (Cash Management)
FIN-FSCM-CLM-BAM
Medium 4,3

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance, ensuring customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP Patch Day, SAP security, and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Newsletter.

By Thomas Fritsch

Source: Onapsis-Blog

Sie haben Fragen? Ihr Ansprechpartner für D/A/CH

Do you have any questions? Your contact person for D/A/CH

Thomas Fritsch, Onapsis

Firma zum Thema

onapsis

Bleiben Sie informiert!

  • Newsletter jeden 2. Dienstag im Monat
  • Inhalt: Webinare, Studien, Whitepaper
Dieses Feld dient zur Validierung und sollte nicht verändert werden.

Klicken Sie auf den unteren Button, um den Inhalt von Google reCAPTCHA zu laden.

Inhalt laden

Bleiben Sie informiert!

  • Newsletter jeden 2. Dienstag im Monat
  • Inhalt: Webinare, Studien, Whitepaper
Dieses Feld dient zur Validierung und sollte nicht verändert werden.

Klicken Sie auf den unteren Button, um den Inhalt von Google reCAPTCHA zu laden.

Inhalt laden