SAP published thirteen new and four updated Security Notes for May 2024 Patch Tuesday. Compared to April’s SAP Security Patch Day release, this month’s release contains more patches overall and with higher severity. Three Security Notes received the HotNews maximum priority rating (CVSS scores ranging from 9.0 to 10.0). Two of the HotNews notes are new, and one is an update to a previously released note. Additionally, one new Security Note received the High Priority designation (CVSS scores ranging from 7.0 to 8.9). For this blog, we will focus on these four most critical Security Notes.
Security Note 3455438 – [CVE-2019-17495] received a CVSS score of 9.8 and addresses “Multiple vulnerabilities in SAP CX Commerce.” Specifically, this Security Note addresses two vulnerabilities identified in CX Commerce:
1. CSS Injection Vulnerability
SAP CX Commerce utilizes the Swagger UI, which is vulnerable to CVE-2019-17495 (CSS Injection). This vulnerability is tagged with a CVSS score of 9.8 and enables potential attackers to perform a Relative Path Overwrite (RPO) technique in CSS-based input fields. If this vulnerability is left unpatched and successfully exploited, it poses high risks to application confidentiality, integrity, and availability.
2. Remote Code Execution
SAP CX Commerce using Apache Calcite Avatica version 1.18.0 is vulnerable to CVE-2022-36364 (Remote Code Execution) due to improper initialization. The Apache Calcite Avatica JDBC driver creates HTTP client instances based on class names provided by the ‘httpclient_impl’ connection property. The JDBC driver of this library does not verify if the class implements the expected interface before instantiating it. If this vulnerability is left unpatched and is successfully exploited, it can lead to code execution loaded via arbitrary classes and in rare cases remote code execution. This vulnerability is tagged with a CVSS score of 8.8. This CVSS score is lower than the above CSS Injection Vulnerability because an attacker requires a minimum set of privileges for successful exploit. SAP Commerce Cloud Patch Release 2205.24 provides the fixed versions for both affected libraries. Currently, there is no temporary workaround to mitigate this vulnerability.
Security Note 3448171 – [CVE-2024-33006] received a CVSS score of 9.6 and addresses a “File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform.” Due to a missing signature check for two content repositories, “FILESYSTEM” and “SOMU_DB”, an unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow the attacker to completely compromise the system. SAP provides a secure default configuration with the support packages in the note. However, this configuration is only for the new installation, meaning that administrators are required to apply manual configuration changes after upgrade or update to the version mentioned in this SAP Note. Please refer to SAP Note 3448453 for more details. As a temporary workaround to mitigate this vulnerability, SAP advises customers to follow these steps:
1. Execute Transaction ‘OAC0’
2. Open the content repository ‘FILESYSTEM’ for all releases.
3. Change the Version Number to ‘0047’ (Content Server Version 4.7)
4. Uncheck the checkbox “No Signature”
5. Save the settings.
6. Execute Transaction ‘OAC0’
7. Open the content repository ‘SOMU_DB’ in case of release 7.50 or higher.
8. Change the Version Number to ‘0047’ (Content Server Version 4.7)
9. Uncheck the checkbox “No Signature”
10. Save the settings.
Security Note 2622660 is a regularly recurring patch and provides “Security updates for the browser control Google Chromium delivered with SAP Business Client”. This security note addresses numerous vulnerabilities in the 3rd party web browser control Chromium. Specifically, if the SAP business client release is not updated to the latest patch level, displaying web pages in SAP Business Client may lead vulnerabilities related to memory corruption and Information Disclosure, among others. Identified impacts of these vulnerabilities include:
This month’s release patches twenty-three Chromium vulnerabilities, including thirteen High Priority patches. The maximum CVSS score of all fixed vulnerabilities is not specified yet by SAP.
This Security Note was first released in April 2018 and has been continuously updated since then. Since this patch is recurring almost monthly as a HotNews Security Note, organizations may not feel the need to inspect and address this monthly note. However, if SAP Business Client is a relevant application within your SAP landscape, it is crucial to closely monitor and inspect this note each month for any important updates.
Security Note 3431794 – [CVE-2024-28165] received a CVSS score of 8.1 and addresses a “Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform.” The platform is vulnerable to stored XSS, allowing a potential attacker to manipulate a parameter in the Opendocument URL. If this vulnerability is left unpatched and successfully exploited, there could be a high impact on application confidentiality and integrity. As a solution, SAP sanitized the user input parameter in the Opendocument URL. Currently, there is no temporary workaround to mitigate this vulnerability.
Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.
Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into which patches are most urgent, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.
Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:
Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.
To see how Pathlock can help your organization with timely Patch Management, reach out to set up a demo today.
Share
SAP published 16 new and two updated Security Notes for Jul...
SAP published 10 new and two updated Security Notes for Jun...
In July 2023, the U.S. Securities and Exchange Co...
Many organizations focus on external threats when it comes ...