SAP published 17 new and eight updated Security Notes for August 2024 Patch Tuesday. Compared to July’s SAP Security Patch Day release, this month’s release contains more patches overall and with higher severity. Two security notes received the HotNews maximum priority rating (CVSS scores ranging from 9.0 to 10.0), and both are new notes. Additionally, four security notes received the High Priority designation (CVSS scores ranging from 7.0 to 8.9), with three being new notes and one updated note. For this blog, we will focus on the four most critical Security Notes, two with a HotNews rating and two with a High Priority rating.
Security Note 3479478 – [CVE-2024-41730] received a CVSS score of 9.8 and addresses a “Missing Authorization check in SAP BusinessObjects Business Intelligence Platform.” This is the most critical patch in this month’s release. Specifically, if single sign-on (SSO) is enabled on enterprise authentication in SAP BusinessObjects Business Intelligence Platform, an unauthorized user can obtain a logon token using a REST endpoint. If this Denial-of-Service vulnerability is left unpatched and is successfully exploited, an attacker could compromise the system, potentially resulting in a high impact on system confidentiality, integrity, and availability. As a solution, SAP has now made the configuration of the SSO enterprise authentication secure by default. Currently, there is no temporary workaround to mitigate this vulnerability.
Security Note 3477196 – [CVE-2024-29415] received a CVSS score of 9.1 and addresses a “Server-Side Request Forgery vulnerability in applications built with SAP Build Apps.” Specifically, SAP Build Apps are vulnerable to this CVE due to the use of an older version of the Node.js library. If this vulnerability is left unpatched and is successfully exploited, there is a high risk to application confidentiality and integrity but no impact on availability. As a solution, SAP recommends rebuilding the application(s) in SAP Build Apps with version 4.11.130 or later. Currently, there is no temporary workaround to mitigate this vulnerability.
Security Note 3485284 – [CVE-2024-42374] received a CVSS score of 8.2 and addresses an “XML injection in SAP BEx Web Java Runtime Export Web Service.” Specifically, BEx Web Java Runtime Export Web Service insufficiently validates XML documents accepted from an untrusted source. This enables an attacker to retrieve information from the SAP ADS system and exhaust the number of XMLForm services, which makes the SAP ADS rendering (PDF creation) unavailable. If this vulnerability is left unpatched and is successfully exploited, application confidentiality and availability could be impacted. As a solution, SAP updated an XML parser to check for the vulnerability in the XML. Currently, there is no temporary workaround to mitigate this vulnerability.
Security Note 3459935 – [CVE-2024-33003] received a CVSS score of 7.4 and addresses an “Information Disclosure Vulnerability in SAP Commerce Cloud.” Specifically, some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. Since URL parameters are exposed in request logs, transmission of sensitive data through query or path parameters is vulnerable to data leakage. If this vulnerability is left unpatched and is successfully exploited, there could be a high impact on application confidentiality and integrity.
As a solution, SAP Commerce Cloud addresses this vulnerability by providing new variants of the affected OCC API endpoints. These new API endpoints pass confidential data through request body parameters only. SAP Commerce Cloud also deprecates the old, vulnerable OCC API endpoints. SAP outlines steps that customers who cannot upgrade to the latest patch releases of SAP Commerce Cloud can take to implement a temporary workaround to mitigate this vulnerability. Please see Security Note 3459935 for specific details on how to implement this workaround. SAP advises customers to implement the patch in this security note to eliminate the vulnerability and to only use the workaround temporarily if necessary.
Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.
Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into which patches are most urgent, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.
Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:
Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.
To see how Pathlock can help your organization with timely patch management, reach out and set up a demo today.
Share
SAP published 16 new and three updated Security Notes for S...
SAP published 16 new and two updated Security Notes for Jul...
SAP published 10 new and two updated Security Notes for Jun...
In July 2023, the U.S. Securities and Exchange Co...