Share
Beitragsbild zu SAP Patch Day: May 2024

SAP Patch Day: May 2024

Onapsis Research Labs supported SAP in patching a critical File Upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform

Highlights of May SAP Security Notes analysis include:

  • May Summary Seventeen new and updated SAP security patches released, including three HotNews Notes and one High Priority Note.
  • HotNews Note for SAP CX Commerce Two vulnerabilities patched, both posing high risks to confidentiality, integrity, and availability of the application.
  • Onapsis Research Labs Contribution Our team supported SAP in patching one HotNews and two Medium Priority Notes.

SAP has released seventeen SAP Security Notes on its May Patch Day (including the notes that were released or updated since last Patch Tuesday) This includes three HotNews Notes and one High Priority Note.

One of the three HotNews Note in May is the periodically recurring SAP Security Note #2622660 which patches the latest Chromium vulnerabilities for SAP Business Client. It patches twenty-three Chromium vulnerabilities, including thirteen High Priority patches. The maximum CVSS score of all fixed vulnerabilities is not specified yet by SAP.

The New HotNews Notes in Detail

SAP Security Note #3455438, tagged with a CVSS score of 9.8, patches two critical vulnerabilities in SAP Customer Experience(CX) Commerce.

Both vulnerabilities are caused by external libraries used in SAP Commerce Cloud:

  • The Swagger UI library is vulnerable to CVE-2019-17495 (CSS injection) allowing an attacker to perform Relative Path Overwrite (RPO) technique in CSS-based input fields.
  • The Apache Calcite Avatica library, version 1.18.0 is vulnerable to CVE-2022-36364 (Remote code execution). The JDBC driver of this library does not check for expected interfaces before instantiating classes allowing code execution loaded via arbitrary classes and in rare cases remote code execution.

The second vulnerability is tagged with a CVSS score of 8.8 (compared to 9.8 for the first one) since the attacker requires a minimum set of privileges for a successful exploit.

SAP Commerce Cloud Patch Release 2205.24 contains the fixed versions of the affected libraries.

SAP Security Note #3448171, tagged with a CVSS score of 9.6, is the second new HotNews Note. It patches a critical File Upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform.
The Onapsis Research Labs (ORL) detected that due to a missing signature check for two content repositories, an unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise the system.

Important: SAP provides a secure default configuration with the support packages mentioned in the note. They point out that this only affects new installations and therefore, administrators are required to apply manual configuration changes after upgrading to the respective support package level. The note refers to the knowledge base article #3448453 which was still under maintenance at the time of writing this blog post.

The New High Priority Note in Detail

SAP Security Note #3431794, tagged with a CVSS score of 8.1, patches a Cross-Site Scripting vulnerability in SAP BusinessObjects Business Intelligence Platform. Insufficient user input sanitization allows an attacker to manipulate a parameter in the Opendocument URL. A successful exploit can have a significant impact on the application’s confidentiality and integrity.

Further Contribution of the Onapsis Research Labs

In addition to HotNews Note #3448171, the ORL contributed to fixing two Cross-Site Scripting vulnerabilities, both tagged with a CVSS score of 6.1.

SAP Security Note #3460772 disables the obsolete Document Service handler of the Data Provisioning Service in SAP S/4HANA. An insufficient encoding of user-controlled inputs makes this handler vulnerable to Cross-Site Scripting(XSS).

The ORL detected another Cross-Site Scripting vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. Due to missing input validation and output encoding of untrusted data, an unauthenticated attacker can inject malicious JavaScript code into a dynamically created web page. A successful exploitation allows reading and modifying sensitive information. SAP Security Note #3450286 provides the required patch that includes proper encoding.

Summary & Conclusions

With seventeen Security Notes, SAP’s May Patch Day is an average one. The Onapsis Research Labs have once more supported SAP in patching three vulnerabilities, including a very critical File Upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform.

SAP Note Type Description Priority CVSS
2622660 Update Security updates for the browser control Google Chromium delivered with SAP Business Client
BC-FES-BUS-DSK
HotNews 10,0
3455438 New [CVE-2019-17495] Multiple vulnerabilities in SAP CX Commerce
CEC-SCC-PLA-PL
HotNews 9,8
3448171 New [CVE-2024-33006] File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
BC-SRV-KPR-CMS
HotNews 9,6
3431794 New [CVE-2024-28165] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform
BI-BIP-INV
High 8,1
3448445 New [CVE-2024-34687] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform
BC-SRV-GBT-GOS
Medium 6,5
3441944 Update [CVE-2024-32730] Missing authorization check in SAP Enable Now Manager
KM-SEN-MGR
Medium 6,5
3460772 New [CVE-2024-33002] Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS)
BC-EIM-ESH
Medium 6,1
3450286 New [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
BC-MID-AC
Medium 6,1
3447467 New [CVE-2024-32731] Missing Authorization check in SAP My Travel Requests
FI-TV-ODT-MTR
Medium 5,5
2745860 Update Information Disclosure in Enterprise Services Repository of SAP Process Integration
BC-XI-IBD-INF
Medium 5,3
3349468 New [CVE-2024-33008] Memory Corruption vulnerability in SAP Replication Server
BC-SYB-REP
Medium 4,9
3449093 New [CVE-2024-33004] Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices)
BI-BIP-INV
Medium 4,3
3434666 New [Multiple CVEs] Missing Authorization Checks in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules)
FI-FIO-AR-PAY
Medium 4,3
2174651 Update Potential information disclosure relating to PI Integration Directory
BC-XI-IBC
Medium 4,3
1938764 New [CVE-2024-33009] SQL injection vulnerability in SAP Global Label Management (GLM)
EHS-SAF-GLM
Medium 4,2
3392049 New [CVE-2024-33000] Missing Authorization check in SAP Bank Account Management
FIN-FSCM-CLM-BAM
Low 3,5
3446076 New [CVE-2024-33007] Client-side script execution vulnerability in SAP UI5(PDFViewer)
CA-UI5-SC
Low 3,5

As always, the Onapsis Research Labs has already updated The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.

By Thomas Fritsch

Source: Onapsis-Blog

Sie haben Fragen? Ihr Ansprechpartner für D/A/CH

Do you have any questions? Your contact person for D/A/CH

Thomas Fritsch, Onapsis

Firma zum Thema

onapsis

Bleiben Sie informiert!

  • Newsletter jeden 2. Dienstag im Monat
  • Inhalt: Webinare, Studien, Whitepaper
Dieses Feld dient zur Validierung und sollte nicht verändert werden.

Klicken Sie auf den unteren Button, um den Inhalt von Google reCAPTCHA zu laden.

Inhalt laden

Bleiben Sie informiert!

  • Newsletter jeden 2. Dienstag im Monat
  • Inhalt: Webinare, Studien, Whitepaper
Dieses Feld dient zur Validierung und sollte nicht verändert werden.

Klicken Sie auf den unteren Button, um den Inhalt von Google reCAPTCHA zu laden.

Inhalt laden