Navigating SAP Security Notes: April 2024 Patch Tuesday

SAP published ten new and two updated Security Notes for April 2024 Patch Tuesday. Compared to March’s SAP Security Patch Day release, this month’s release contains the same number of patches. However, there are no HotNews notes for April. Although there are no new HotNews notes, this month’s release includes some very important updates. Three Security Notes received the High Priority designation (CVSS scores ranging from 7.0 to 8.9), with all three being new notes. For this blog, we will focus on these three new High Priority notes.

Newly Released High Priority Security Notes

Security Note 3434839 – [CVE-2024-27899] received a CVSS score of 8.8 and addresses a “Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine.” The ‘Self-Registration’ and ‘Modify your own profile’ features of the User Management Engine do not enforce proper security requirements for the content of newly defined security answers. Specifically, either of the above features lacks proper password requirements and allows for the creation of weak passwords that can be cracked with a brute-force attack method. If this vulnerability is left unpatched and successfully exploited, there is risk of high impact to system confidentiality and a low impact to system integrity and availability.

Since both the ‘Self-Registration’ and ‘Modify your own profile’ features are disabled by default, this security vulnerability is a programming-related issue rather than a configuration issue. As a solution, SAP applied the proper user password requirements for the two features. As a temporary workaround, SAP advises that the ‘Self Registration’ and ‘Modify your own profile’ features can be disabled. Regardless of whether you have these features enabled or not, Pathlock suggests applying this patch so that no related vulnerabilities emerge unknowingly if these features are enabled in the future.

Security Note 3421384 – [CVE-2024-25646] received a CVSS score of 7.7 and addresses an “Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence.” Due to improper validation, SAP BusinessObjects Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using Excel documents. Specifically, The Excel Data Access Service lacks sufficient security validation when uploading Excel files. If this vulnerability is left unpatched and is exploited, sensitive data could be accessible and read by authenticated attackers, potentially resulting in a high impact on the application’s confidentiality. As a temporary workaround, the Excel Data Access Service can be removed from all Adaptative Processing Servers. This is not a permanent solution for this vulnerability, and you should apply this patch to ensure that the sensitive Excel file is not exposed.

Security Note 3438234 – [CVE-2024-27901] received a CVSS score of 7.2 and addresses a “Directory Traversal vulnerability in SAP Asset Accounting.” This program error leads to a path traversal vulnerability and could allow an attacker with high privileges to exploit insufficient security validation of path information provided by users and pass it through to the file APIs. If this vulnerability is left unpatched and is exploited, there will be a high impact on application confidentiality, integrity, and availability. As a solution, the program RAALTE00 is disabled once the patch is implemented and the program RAALTD01 now correctly verifies the path information provided by the user against the logical filenames FI_AA_DATA_TAKEOVER_INPUT and FI_AA_DATA_TAKEOVER_ERROR. As a temporary workaround, SAP suggests assigning an authorization group to programs RAALTE00 and RAATLD01 to ensure that the programs cannot be executed by anyone without special privileges. Please note that this does not actually patch the path traversal vulnerability.

The Importance of Proactive and Timely Patching

Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. Even if months like April 2024 do not include any critical HotNews notes, it is still crucial to be mindful of lower severity notes that could compound over time and unknowingly expose your organization’s sensitive data. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.

How Pathlock Can Help

Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into which patches are most urgent, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.

Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:

• Vulnerability Management
• Code Scanning
• Transport Control
• Threat Detection and Response
• Dynamic Access Controls (DAC)

Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.

To see how Pathlock can help your organization with timely patch management, schedule a demo today.