Share
Beitragsbild zu SAP Patch Day: September 2024

SAP Patch Day: September 2024

SAP Build Apps applications affected by known Node.js vulnerability

Highlights of September SAP Security Notes analysis include:

  • September Summary Nineteen new and updated SAP security patches released, including updates to one HotNews Note and one High Priority Note
  • Updated Notes Review of updated notes strongly recommended
  • Onapsis Research Labs Contribution Our team supported SAP in patching twelve vulnerabilities covered by seven SAP Security Notes

SAP has published nineteen new and updated SAP Security Notes in its September Patch Day, including updates to one HotNews Note and one High Priority Note.

HotNews Note #3479478, tagged with a CVSS score of 9.8, was initially released on SAP’s August Patch Day and patches a Missing Authentication Check vulnerability in SAP BusinessObjects Business Intelligence Platform. The updated note provides workaround instructions for customers who can’t apply the patch immediately. In addition, the validity of the note was extended to release 420 of the Enterprise software component.

High Priority Note #3459935, tagged with a CVSS score of 7.4, patches an Information Disclosure vulnerability in SAP Commerce Cloud. Customers who already applied the patch after its initial release in August should review the note since SAP has updated the fixing version from SAP Commerce Cloud Update Release 2211.27 to SAP Commerce Cloud Update Release 2211.28.

Onapsis Contribution

Once more, the Onapsis Research Labs (ORL) significantly contributed to SAP’s Patch Day. The team supported SAP in patching twelve vulnerabilities, covered by seven SAP Security Notes.

SAP Security Notes #3497347 and #3501359, both tagged with a CVSS score of 6.1, patch Cross-Site Scripting vulnerabilities in eProcurement on S/4HANA and CRM Blueprint Application Builder Panel. Weak encoding and insufficient validation of user-controlled input allow attackers to inject malicious scripts that are executed by unsuspecting users. This gives attackers the ability to access and/or modify information with low impact on confidentiality and integrity.

SAP Security Note #3488341, tagged with a CVSS score of 6.5, patches a Missing Authorization Check vulnerability in SAP Production and Revenue Accounting. A remote-enabled function module of an obsolete application interface allows generic reading of arbitrary table data. SAP has patched the issue by adding an appropriate authorization check. Keeping the function module unpatched could lead to disclosure of highly sensitive data.

SAP Security Note #3488039, tagged with a CVSS score of 5.4, patches six Missing Authorization Check vulnerabilities in various RFC-enabled function modules that can be used to alter the Easy Access menu of legitimate users in a malicious way. Most of the vulnerabilities have a low impact on the integrity and availability of the application. Only one vulnerability affects confidentiality. Nevertheless, one of the vulnerabilities, tracked under CVE-2024-45285, allows a low privileged attacker to send a crafted packet in the vulnerable function module targeting a specific user. This user will no longer have access to any functionality of SAP GUI and will thus experience a total loss of application availability. All vulnerable function modules have been patched by no longer allowing external access.

SAP Security Note #3505293, tagged with a CVSS score of 4.3, patches a Missing Authorization Check vulnerability in SAP for Oil & Gas. Due to the missing authorization check, an attacker with non-administrative user privileges could call a remote-enabled function module which will allow them to delete entries in a user data table. The patch adds an appropriate authorization check.

SAP Security Notes #3481588 and #3481992, both tagged with a CVSS score of 4.3, patch two Information Disclosure vulnerabilities in SAP BW (BEx Analyzer). Due to missing authorization checks, they allow an authenticated attacker to access information over the network which is otherwise restricted.

Summary & Conclusions

With no new HotNews and no new High Priority Notes, SAP’s September Patch Day represents another calm Patch Day. A significant number of the SAP Security Notes patches are Missing Authorization Check vulnerabilities in RFC-enabled function modules. It is with great pleasure that the Onapsis Research Labs have been able to contribute to the identification of a significant number of vulnerabilities.

SAP Note Type Description Priority CVSS
3479478 Update [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
BI-BIP-INV
HotNews 9.8
3459935 Update [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud
CEC-COM-CPS-COR
High 7.4
3488341 New [CVE-2024-45286] Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface)
IS-OIL-PRA-REV-OW
Medium 6.5
3495876 Update [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS)
BC-SYB-REP
Medium 6.5
3501359 New [CVE-2024-45279] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP(CRM Blueprint Application Builder Panel)
CA-GTF-PCF
Medium 6.1
3497347 New [CVE-2024-42378] Cross-Site Scripting (XSS) in eProcurement on S/4HANA
MM-PUR-SSP
Medium 6.1
3477359 New [CVE-2024-45283] Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service)
BC-JAS-SEC-DST
Medium 6.0
3430336 New [CVE-2013-3587] Information Disclosure vulnerability in SAP Commerce Cloud
CEC-SCC-PLA-PL
Medium 5.9
3425287 New [CVE-2024-45281] DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform
BI-RA-WBI-BE
Medium 5.8
3488039 New [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform
BC-DWB-SEM
Medium 5.4
3505503 New [CVE-2024-45280] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application)
BC-JAS-SEC-LGN
Medium 4.8
3498221 New [CVE-2024-44120] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
BC-PIN-PCD
Medium 4.7
3505293 New [CVE-2024-44112] Missing Authorization check in SAP for Oil & Gas (Transportation and Distribution)
IS-OIL-DS-TD
Medium 4.3
3481992 New [CVE-2024-44113] Information Disclosure vulnerability in the SAP Business Warehouse (BEx Analyzer)
BW-BEX-ET-WB-7X
Medium 4.3
3481588 New [CVE-2024-41729] Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer)
BW-BEX-ET-WB-7X
Medium 4.3
3437585 New [CVE-2024-44121] Information Disclosure in SAP S/4 HANA (Statutory Reports)
FI-LOC-SRF-RUN
Medium 4.3
2256627 New [CVE-2024-45284] Missing authorization check in SAP Student Life Cycle Management (SLcM)
IS-HER-CM
Low 2.7
3496410 New [CVE-2024-41728] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform
BC-DWB-TOO-ABA
Low 2.7
3507252 New [CVE-2024-44114] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform
BC-ABA-LA
Low 2.0
SAP Security Notes Table – September 2024

As always, the Onapsis Research Labs are already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our Defenders Digest Newsletter.

By Thomas Fritsch

Source: Onapsis-Blog

Sie haben Fragen? Ihr Ansprechpartner für D/A/CH

Do you have any questions? Your contact person for D/A/CH

Thomas Fritsch, Onapsis

Firma zum Thema

onapsis

Bleiben Sie informiert!

  • Newsletter jeden 2. Dienstag im Monat
  • Inhalt: Webinare, Studien, Whitepaper
Dieses Feld dient zur Validierung und sollte nicht verändert werden.

Klicken Sie auf den unteren Button, um den Inhalt von Google reCAPTCHA zu laden.

Inhalt laden

Bleiben Sie informiert!

  • Newsletter jeden 2. Dienstag im Monat
  • Inhalt: Webinare, Studien, Whitepaper
Dieses Feld dient zur Validierung und sollte nicht verändert werden.

Klicken Sie auf den unteren Button, um den Inhalt von Google reCAPTCHA zu laden.

Inhalt laden