SAP published 10 new and two updated Security Notes for June 2024 Patch Tuesday. Compared to May’s SAP Security Patch Day release, this month’s release contains fewer patches overall and with lower severity. Only two Security Notes received the High Priority designation (CVSS scores ranging from 7.0 to 8.9), and both are new notes. The rest of the Security Notes in this release are Medium and Low priority. For this blog, we will focus on the two new High Priority Security Notes.
Security Note 3457592 – [CVE-2024-37177] received a CVSS score of 8.1 and addresses “Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation.” This note received the highest CVSS rating in June and patches two Cross-Site Scripting vulnerabilities:
1. Reflected XSS
SAP Financial Consolidation allows data to enter a web application through an untrusted source. Specifically, these endpoints are exposed over the network and enable the user to manipulate website content. If this vulnerability is left unpatched and is successfully exploited, an attacker can cause a high impact on application confidentiality and integrity.
2. Stored XSS
SAP Financial Consolidation insufficiently encodes user-controlled inputs, resulting in an XSS vulnerability. Specifically, these endpoints are exposed over the network, and this vulnerability can exploit resources beyond the vulnerable component. If this vulnerability is left unpatched and is successfully exploited, an attacker can cause a limited impact on application confidentiality.
As a solution, SAP properly encoded the URL parameters to prevent a successful XSS attack. Currently, there is no temporary workaround to mitigate this vulnerability.
Security Note 3460407 – [CVE-2024-34688] received a CVSS score of 7.5 and addresses “Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository).” Specifically, due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, threat actors can perform DoS attacks on the application, potentially preventing access for legitimate users. Although this Security Note received a lower CVSS score than the above note, this note likely affects more customer systems since it targets the more relevant SAP NetWeaver AS Java. If this vulnerability is left unpatched and is successfully exploited, there could be a high impact on application availability. As a solution, SAP corrected the code, and the application is now securely configured to prevent unauthorized access. Currently, there is no temporary workaround to mitigate this vulnerability.
Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. Even if months like June 2024 do not include any critical HotNews notes, it is still crucial to be mindful of lower severity notes that could compound over time and unknowingly expose your organization’s sensitive data. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.
Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into which patches are most urgent, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.
Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:
Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.
To see how Pathlock can help your organization with timely patch management, reach out and set up a demo today.
Share
In July 2023, the U.S. Securities and Exchange Co...
SAP published thirteen new and four updated Security Notes ...
Many organizations focus on external threats when it comes ...
Last month, Kuppinger Cole, a globally recognized analyst o...