Navigating SAP Security Notes: March 2024 Patch Tuesday

SAP published ten new and two updated Security Notes for March 2024 Patch Tuesday. Compared to February’s SAP Security Patch Day release, this month’s release contains a similar number of patches but with more HotNews notes and fewer High Priority notes. Three Security Notes received the HotNews maximum severity rating (CVSS scores ranging from 9.0 to 10.0). Two of the HotNews notes are new, and one is an update to a previously released note.

Additionally, three Security Notes received the High Priority designation (CVSS scores ranging from 7.0 to 8.9), two of them new notes and one an update to a previously released note. For this blog, we will focus on the six most critical Security Notes: three with a HotNews rating and three with a High Priority rating.

Newly Released HotNews Security Notes

Security Note 3425274 – [CVE-2019-10744] received a CVSS score of 9.4 and addresses a “Code Injection vulnerability in applications built with SAP Build Apps.” Specifically, this code injection vulnerability enables threat actors to run unauthorized commands on SAP applications built with SAP Build Apps versions lower than 4.9.145. If this vulnerability is left unpatched and is successfully exploited, there is the potential for a low impact on system confidentiality and a high impact on system integrity and availability. As a solution, SAP advises customers to rebuild relevant applications in SAP Build Apps with version 4.9.145 or later. Currently, there is no temporary workaround to mitigate this vulnerability.

Security Note 3433192 – [CVE-2024-22127] received a CVSS score of 9.1 and addresses a “Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in).” Specifically, the Administrator Log Viewer plug-in of SAP NetWeaver AS Java allows an attacker with escalated privileges to upload potentially dangerous files, which could lead to a command injection vulnerability. This vulnerability exists due to the incomplete list of prohibited file types for the upload functionality of the Log Viewer plug-in. If this vulnerability is left unpatched and is successfully exploited, an attacker can run malicious commands, which would cause a high impact on application confidentiality, integrity, and availability.

As a solution, this Security Note provides an extended list of prohibited file types. As an additional security measure, SAP recommends that customers activate virus scanning for file uploads. As a temporary workaround, SAP advises customers to “Access NetWeaver Administrator using ‘NWA_READONLY’ user role instead of ‘Administrators’ user role.” This workaround is not a permanent fix for this vulnerability.

Updated HotNews Security Note

Security Note 2622660 is a regularly recurring patch. It provides “Security updates for the browser control Google Chromium delivered with SAP Business Client.” This security note addresses numerous vulnerabilities in the 3rd party web browser control Chromium. Specifically, if the SAP business client release is not updated to the latest patch level, displaying web pages in SAP Business Client may lead to vulnerabilities related to memory corruption and Information Disclosure, among others. Identified impacts of these vulnerabilities include:

• System information disclosure or even system crash in worst-case scenarios.
• Potential direct impacts on system confidentiality, availability, and integrity.
• Exfiltrated information can be leveraged to initiate other attacks, with potentially severe and compounding consequences.

This month’s update is the 45th update to this Security Note and includes revised ‘Solution’ and ‘Support Packages & Patches’ information. Specifically, this patch remediates twenty-nine chromium vulnerabilities in total, including two Critical and fifteen High Priority vulnerabilities. The maximum CVSS score of all fixed vulnerabilities is 9.8.

This Security Note was first released in April 2018 and has been continuously updated since then. Since this patch is recurring almost monthly as a HotNews Security Note, organizations may not feel the need to inspect and address this monthly note. However, if SAP Business Client is a relevant application within your SAP landscape, it is crucial to closely monitor and inspect this note each month for any important updates.

Newly Released High Priority Security Notes

Security Note 3414195 – [CVE-2023-50146] received a CVSS score of 7.2 and addresses a “Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console).” Specifically, the platform’s Central Management Console uses a vulnerable version of Apache Struts. If this vulnerability is left unpatched and is successfully exploited, users with high privileges could cause a high impact on application confidentiality, integrity, and availability.

Security Note 3410615 – [CVE-2023-44487] received a CVSS score of 7.5 and addresses a “Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced.” Specifically, SAP HANA XS Classic and HANA XS Advanced allow unauthenticated users to perform a DOS attack on the network by extending many HTTP/2 requests and then canceling them. This affects the SAP Web Dispatcher if utilized in SAP HANA 2.0 and only affects the HTTP/2 protocol. This attack may lead to flooding the memory. If this vulnerability is left unpatched and is successfully exploited, there could be a high impact on application availability. There is no impact on application confidentiality or integrity. As a temporary workaround, SAP advises customers to disable HTTP/2. This workaround is not a permanent fix for this vulnerability.

Updated High Priority Security Note

Security Note 3346500 – [CVE-2023-39439] received a CVSS score of 8.8 and addresses “Improper authentication in SAP Commerce Cloud.” Specifically, certain configurations of SAP Commerce Cloud may accept an empty passphrase for user ID and passphrase authentication, allowing users to log into the system without a passphrase. If both of the following conditions are met, SAP Commerce Cloud will enable users to authenticate with an empty passphrase:

• The value of the “user.password.acceptEmpty” configuration property is set to “true,” which is the default value.
• An active user account with an empty passphrase exists.

Additionally, SAP Commerce Cloud may create user accounts with an empty passphrase under the following circumstances:

• Any SAP Commerce extension (including custom extensions) creates a new user without explicitly setting the passphrase field.
• Any SAP Commerce extension (including custom extensions) changes the passphrase field of a user to null, an empty string, a passphrase hash based on an empty string, or similar values.
• An administrative user creates or changes a user’s passphrase field as described above.

This vulnerability does not affect user accounts that have a valid passphrase set. SAP Commercial Cloud customers should refer to the above Security Note 3346500 for various solutions and workaround details.

The Importance of Proactive and Timely Patching

Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.

How Pathlock Can Help

Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into which patches are most urgent, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.

Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:

• Vulnerability Management
• Code Scanning
• Transport Control
• Threat Detection and Response
• Dynamic Access Controls (DAC)

Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.

To see how Pathlock can help your organization with timely patch management, schedule a demo today.