Navigating SAP Security Notes: July 2024 Patch Tuesday

SAP published 16 new and two updated Security Notes for July 2024 Patch Tuesday. Compared to June’s SAP Security Patch Day release, this month’s release contains more patches overall but with similarly low severity. Only two Security Notes received the High Priority designation (CVSS scores ranging from 7.0 to 8.9), and both are new notes. The rest of the Security Notes in this release are Medium and Low priority. For this blog, we will focus on the two new High Priority Security Notes.

Newly Released High Priority Security Notes

Security Note 3483344 – [CVE-2024-39592] received a CVSS score of 7.7 and addresses a “Missing Authorization check in SAP PDCE.” This is the most critical patch in this month’s release. Specifically, there is a missing authorization check vulnerability for authenticated users within elements of SAP Product Design Cost Estimating (SAP PDCE), resulting in the escalation of privileges. If this vulnerability is left unpatched and is successfully exploited, an attacker could read sensitive information and cause a high impact on application confidentiality. As a solution, this patch deactivates the vulnerable function module and adequately restricts access. Currently, there is no temporary workaround to mitigate this vulnerability.

Security Note 3490515 – [CVE-2024-39597] received a CVSS score of 7.2 and addresses “Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce.” Specifically, an attacker can misuse the forgotten password functionality to a site for which early login and registration is activated without requiring the merchant to approve the account beforehand. If the site is not configured as an isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites. If this vulnerability is left unpatched and is successfully exploited, there is the potential for a low impact on application confidentiality and integrity with no impact on application availability. As a solution, SAP Commerce Cloud addresses this vulnerability by no longer sending password reset emails if the customer requesting a password reset was not approved beforehand by the merchant. As a temporary workaround, SAP outlines these Manual Remediation Steps:

• If Early Login is enabled on an isolated Composable Storefront B2B sites, disable Registration on the same site.
• If Early Login is enabled on one of multiple non-isolated Composable Storefront B2B sites, disable registration for all non-isolated sites.

The Importance of Proactive and Timely Patching

Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. Even if months like July 2024 do not include any critical HotNews notes, it is still crucial to be mindful of lower severity notes that could compound over time and unknowingly expose your organization’s sensitive data. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.

How Pathlock Can Help

Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into which patches are most urgent, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.

Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:

• Vulnerability Management
• Code Scanning
• Transport Control
• Threat Detection and Response
• Dynamic Access Controls (DAC)

Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.

To see how Pathlock can help your organization with timely patch management, reach out and set up a demo today.