Navigating SAP Security Notes: January 2024 Patch Tuesday

SAP published two HotNews and four High Priority security notes for January 2024 Patch Tuesday. Compared to December’s 2023 SAP Security Patch Day releases, the number of HotNews Security Notes remains constant. Overall, three notes received a CVSS Score of 8.4 and above. 

Newly Released HotNews Security Notes

Security Note 3413475 – [CVE-2023-49583, CVE-2023-50422] received a CVSS score of 9.1 and addresses “Escalation of Privileges in SAP Edge Integration Cell.” Under specific circumstances, the SAP Edge Integration Cell, which utilizes SAP BTP Security Services Integration Libraries and Programming Infrastructures, exhibits a flaw that enables privilege escalation. This impacts SAP Edge Integration Cell 8.9.12 or earlier. SAP Edge Integration Cell version 8.9.13 addresses the identified issue. To mitigate this vulnerability, please upgrade your SAP Edge Integration Cell solution to the latest version (A good reference source is the Upgrade Guide by SAP).   

Security Note 3412456 – [CVE-2023-49583] received a CVSS score of 9.1 and addresses “Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA.” Node.js applications developed using the specified platforms and intended for deployment to the SAP BTP or Cloud Foundry environment are susceptible to vulnerability CVE-2023-49583. Applications that rely on outdated versions of the @sap/xssec library (earlier than 3.6.0) and the @sap/approuter library (earlier than 14.4.2) are affected by this vulnerability. To mitigate the vulnerability, it is imperative to update the node.js application’s dependencies to the most recent versions of the @sap/approuter and @sap/xssec libraries. 

Newly Released High Priority Security Note

Security Note 3411869 – [CVE-2024-21737] received a CVSS score of 8.4 and addresses “Code Injection vulnerability in SAP Application Interface Framework (File Adapter).” In the SAP Application Interface Framework File Adapter, a privileged user can exploit a function module to bypass security controls and gain direct access to the underlying operating system. This enables them to execute unauthorized commands, potentially altering the application’s behavior and causing significant security breaches that compromise confidentiality, integrity, and availability. The feature of creating new paths was previously enabled and was vulnerable to exploitation.   

To address this issue, implement the correction instruction included in the note or install the corresponding Support Package. This vulnerability is specific to lower versions of Application Interface Framework 3.0. Upgrading to version 4.0 or higher eliminates this vulnerability.

Security Note 3407617 – [CVE-2024-21735] received a CVSS score of 7.3 and addresses “Improper Authorization check in SAP LT Replication Server.” The SAP LT Replication Server does not execute necessary authorization checks. This could allow an attacker with high privileges to perform unauthorized actions, potentially increasing their privileges. This significantly impacts the confidentiality, integrity, and availability of the system. Affected versions of the SAP LT Replication Server are running on SAP S/4HANA 1809 throughout 2023.   

This issue can be mitigated by applying the necessary updates described in the note to the SAP LT Replication Server system in line with the manual correction guidelines.

Security Note 3386378 – [CVE-2024-22125] received a CVSS score of 7.4 and addresses “Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge).” Under specific circumstances, the Microsoft Edge browser extension known as SAP GUI connector for Microsoft Edge exposes highly sensitive data that should be confidential, posing a significant threat to confidentiality.  

To overcome this flaw, stricter conditions have been implemented to ensure that headers are only attached to specific request URLs, and the header cleaning code has been enhanced for greater precision. Therefore, install the latest version of the “SAP GUI connector for Microsoft Edge” extension, version 3.0, from the Microsoft Add-ons Store. Current versions of Microsoft Edge (118.x and 119.x) will automatically update the extension when Edge is launched and the Microsoft Edge Extension store is accessible.

Security Note 3389917 – [CVE-2023-44487] received a CVSS score of 7.5 and addresses “Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application Server ABAP, and ABAP Platform.” Unauthenticated users can exploit a vulnerability in SAP Web Dispatcher, SAP NetWeaver Application Server ABAP, and ABAP Platform to launch a denial-of-service (DoS) attack over the network by flooding the system with a large number of HTTP/2 requests and then cancel them abruptly. This can lead to memory exhaustion and significantly impact the application’s availability. However, the confidentiality and integrity of the application remain unaffected. The vulnerability affects the standalone SAP Web Dispatcher, SAP Web Dispatcher embedded in the ASCS instance, and Internet Communication Manager (ICM) in SAP NetWeaver Application Server ABAP. The issue exclusively impacts the HTTP/2 protocol, leaving HTTP/1 unaffected. 

The Importance of Proactive and Timely Patching

Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.

How Pathlock Can Help

Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into the most urgent patches, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.

Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:

• Vulnerability and Code Scanning
• Threat Detection and Response
• Transport Control
• Dynamic Data Masking
• Session Logging and Data Loss Prevention (DLP)

Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.

To see how Pathlock can help your organization, reach out to set up a demo today.