Share
Beitragsbild zu SAP Patch Day: June 2024

SAP Patch Day: June 2024

High Priority Notes for SAP NetWeaver AS Java and SAP Financial Consolidation

Highlights of June SAP Security Notes analysis include:

  • June Summary Twelve new and updated SAP security patches released, including two High Priority Notes
  • SAP High Priority Notes SAP NetWeaver AS Java and SAP Financial Consolidation affected
  • Onapsis Research Labs Contribution Our team supported SAP in patching 50% of all new SAP Security Notes in June

SAP has published twelve new and updated SAP Security Notes in its June Patch Day, including two High Priority Notes. Five of the ten new Security Notes were published in contribution with the Onapsis Research Labs.

The High Priority Notes in Detail

SAP Security Note #3457592, tagged with a CVSS score of 8.1, is the note with the highest CVSS score in June. It patches two Cross-Site Scripting vulnerabilities in SAP Financial Consolidation. The more critical one allows data to enter a web application through an untrusted source and manipulating web site content. This causes a high impact on the confidentiality and integrity of the application.

SAP Security Note #3460407 is the second High Priority Note in June. Tagged with a CVSS score of 7.5, it is rated slightly lower than #3457592. However, targeting SAP NetWeaver AS Java, it is most likely that more SAP customers and systems are affected by this note. The note patches a Denial of Service vulnerability in the Meta Model Repository services. Accessing these services was not restricted and allowed attackers to perform DoS attacks on the application, preventing legitimate users from using the application.

Onapsis Contribution

Our Onapsis Research Labs (ORL) team is continuously growing and our new team members from Romania could already significantly contribute to some of the June Security Notes.

SAP Security Note #3453170, tagged with a CVSS score of 6.5, patches a Denial of Service vulnerability in SAP NetWeaver AS ABAP and ABAP platform. An RFC-enabled function module of the Early Watch Alert Reporting measures the CPU time of a reference process and the number of repetitions could be controlled by an input parameter. Since the value was not restricted, an attacker could call the function module with a very high value for this parameter. Calling the function module several times in parallel could lead to completely blocking all work processes and thus making the system unavailable.

SAP Security Note #3459379, also tagged with a CVSS score of 6.5, describes an Unrestricted File Upload vulnerability in the HTTP service of SAP Document Builder. The service allowed users to upload file attachments without virus scanning. After applying the patch it is strongly recommended to additionally check the system’s virus scan profile settings. Information on how to check these settings can be found in the Manual Activities section of the note.

SAP Security Note #3465129, tagged with a CVSS score of 6.1, patches a Cross-Site Scripting vulnerability in SAP CRM. The ORL detected that insufficient input validation in the WebClient UI allowed an attacker to embed a malicious script into a link. When a victim clicks on this link, the script will be executed in the victim’s browser giving the attacker the ability to access and/or modify information causing impact on the application’s confidentiality and integrity. Customers are only affected by this vulnerability if they have applied SAP Note #3328365 before or if they are on the equivalent Support Package level of this SAP Note..

The ORL team furthermore detected a Missing Authorization Check vulnerability in a remote-enabled function module of SAP Student Life Cycle Management (SLcM). On successful exploitation, attackers could access and edit non-sensitive report variants that are typically restricted. SAP Security Note #3457265, tagged with a CVSS score of 5.4, patches the issue. A switchable authorization check was added to the vulnerable function module in case of an external call.

SAP Security Note #3425571, tagged with a CVSS score of 5.3, patches an Information Disclosure vulnerability in the Guided Procedures component of an SAP NetWeaver AS Java.The vulnerability is tracked under CVE-2024-28164 and allowed an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted.

Summary & Conclusions

With only twelve Security Notes, SAP’s June Patch Day represents another calm Patch Day. We are happy that the Onapsis Research Labs could once more significantly contribute to increasing the security of SAP applications. SAP customers can expect much more to come from the ORL in the next few months.

SAP Note Type Description Priority CVSS
3457592 New [CVE-2024-37177] Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation
EPM-BFC-TCL
High 8,1
3460407 New [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)
BC-DWB-JAV-MMR
High 7,5
3453170 New [CVE-2024-33001] Denial of service (DOS) in SAP NetWeaver and ABAP platform
SV-SMG-SDD
Medium 6,5
3459379 New [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)
CA-GTF-DOB
Medium 6,5
3466175 New [CVE-2024-34691] Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)
FI-FIO-AR-PAY
Medium 6,5
3465129 New [CVE-2024-34686] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI)
CA-WUI-UI
Medium 6,1
3450286 Update [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
BC-MID-AC
Medium 6,1
3465455 New [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP
BW4-DM-TRFN
Medium 5,5
3457265 New [CVE-2024-34690] Missing Authorization check in SAP Student Life Cycle Management (SLcM)
IS-HER-CM-AD
Medium 5,4
3425571 New [CVE-2024-28164] Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures)
BC-GP
Medium 5,3
2638217 Update Switchable Authorization Checks in Central Finance Infrastructure Components
FI-CF-INF
Low 3,9
3441817 New [CVE-2024-34684] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling)
BI-BIP-PUB
Low 3,7

As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.

By Thomas Fritsch

Source: Onapsis-Blog

Sie haben Fragen? Ihr Ansprechpartner für D/A/CH

Do you have any questions? Your contact person for D/A/CH

Thomas Fritsch, Onapsis

 

Firma zum Thema

onapsis

Bleiben Sie informiert!

  • Newsletter jeden 2. Dienstag im Monat
  • Inhalt: Webinare, Studien, Whitepaper
Dieses Feld dient zur Validierung und sollte nicht verändert werden.

Klicken Sie auf den unteren Button, um den Inhalt von Google reCAPTCHA zu laden.

Inhalt laden

Bleiben Sie informiert!

  • Newsletter jeden 2. Dienstag im Monat
  • Inhalt: Webinare, Studien, Whitepaper
Dieses Feld dient zur Validierung und sollte nicht verändert werden.

Klicken Sie auf den unteren Button, um den Inhalt von Google reCAPTCHA zu laden.

Inhalt laden