SAP published 16 new and three updated Security Notes for September 2024 Patch Tuesday. Compared to August’s SAP Security Patch Day release, this month’s release contains fewer patches overall and with lower severity. One security note received the HotNews maximum severity rating (CVSS scores ranging from 9.0 to 10.0), which is an update to the note that was originally released in August’s Patch Tuesday. Additionally, one security note received the High Priority designation (CVSS scores ranging from 7.0 to 8.9), which is also an update to the note that was originally released in August. All other notes in this month’s release received the medium or low severity designation. For this blog, we will focus on the two updated higher severity notes, as well as the four most critical new Medium Priority Security Notes (all exceeding CVSS scores of 6.0).
Security Note 3479478 – [CVE-2024-41730] received a CVSS score of 9.8 and addresses a “Missing Authorization check in SAP BusinessObjects Business Intelligence Platform.” This is the most critical patch in this month’s release. Specifically, if single sign-on (SSO) is enabled on enterprise authentication in SAP BusinessObjects Business Intelligence Platform, an unauthorized user can obtain a logon token using a REST endpoint. If this Denial-of-Service vulnerability is left unpatched and is successfully exploited, an attacker could compromise the system, potentially resulting in a high impact on system confidentiality, integrity, and availability. As a solution, SAP has now made the configuration of the SSO enterprise authentication secure by default.
This month’s update to this note provides workaround instructions for customers who may not be able to implement the patch immediately. The note also has updated validity information.
Security Note 3459935 – [CVE-2024-33003] received a CVSS score of 7.4 and addresses an “Information Disclosure Vulnerability in SAP Commerce Cloud.” Specifically, some OCC API endpoints in SAP Commerce Cloud allow Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. Since URL parameters are exposed in request logs, transmission of sensitive data through query or path parameters is vulnerable to data leakage. If this vulnerability is left unpatched and is successfully exploited, there could be a high impact on application confidentiality and integrity. As a solution, SAP Commerce Cloud addresses this vulnerability by providing new variants of the affected OCC API endpoints. These new API endpoints pass confidential data through request body parameters only. SAP Commerce Cloud also deprecates the old, vulnerable OCC API endpoints. SAP outlines steps for customers who cannot upgrade to the latest patch releases of SAP Commerce Cloud can take to implement a temporary workaround to mitigate this vulnerability.
Please see Security Note 3459935 for specific details on how to implement this workaround. SAP advises customers to implement the patch in this security note to eliminate the vulnerability and to only use the workaround temporarily if necessary.
This month’s update to this note includes updated solution information since SAP Cloud Commerce Update Release 2211.28 is the latest and contains all updated fixes.
Security Note 3488341 – [CVE-2024-45286] received a CVSS score of 6.5 and addresses a “Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface).” Due to insufficient authorization checks when calling a user, a remote-enabled function module in the obsolete Tobin interface in SAP Production and Revenue Accounting allows unauthorized access that could result in the disclosure of highly sensitive table data. If this vulnerability is left unpatched and is successfully exploited, there could be a high impact on system and data confidentiality but no impact on integrity or availability. As a solution, SAP added the appropriate authorization check.
Security Note 3501359 – [CVE-2024-45279] received a CVSS score of 6.1 and addresses a Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel).” Due to insufficient input validation, the CRM Blueprint Application Builder Panel in the SAP NetWeaver Application Server for ABAP allows an unauthenticated attacker to create a URL link that could embed malicious JavaScript. When a user clicks on the link, the script will be executed in the victim’s browser, enabling the attacker to access and/or modify information. If this injection vulnerability is left unpatched and is successfully exploited, there will be a low impact on application confidentiality and integrity but no impact on availability. As a solution, SAP has ensured that the data is now properly encoded to prevent a successful XSS attack.
Security Note 3477359 – [CVE-2024-45283] received a CVSS score of 6.0 and addresses an “Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service).” Specifically, SAP NetWeaver AS Java allows an unauthenticated attacker to obtain sensitive information, such as usernames and passwords, when creating an RFC destination. If this vulnerability is left unpatched and is successfully exploited, an attacker can read sensitive data but cannot modify or delete the data. As a solution, this patch no longer allows an attacker to bypass authentication.
Security Note 3497347 – [CVE-2024-42378] received a CVSS score of 6.1 and addresses “Cross-Site Scripting (XSS) in eProcurement on S/4HANA.” Due to weak encoding of user-controlled inputs, eProcurement on SAP S/4HANA allows attackers to inject and execute malicious scripts in the application, potentially resulting in a reflected XSS vulnerability. If this vulnerability is left unpatched and is successfully exploited, there will be a minor impact on application confidentiality and integrity but no impact on application availability. Reasons for this vulnerability included missing input validation and output encoding of untrusted data. As a solution, SAP released this patch and corresponding correction instructions and support packages to deactivate the obsolete code.
Staying updated on the monthly Security Notes released for SAP Patch Tuesday is crucial to maintaining the security posture of the confidentiality, integrity, and availability (CIA) triad for your business-critical SAP applications. Even if months like September 2024 do not include any new critical HotNews notes, it is still crucial to be mindful of lower severity notes that could compound over time and unknowingly expose your organization’s sensitive data. These patches address critical vulnerabilities that malicious actors continually attempt to exploit to compromise your organization’s data and operations. Neglecting this crucial component of SAP security can lead to costly data breaches, system downtime, and potential reputational damage. By establishing an effective monthly patch management plan, businesses can proactively protect themselves against cyber threats.
Pathlock’s Cybersecurity Application Controls (CAC) product enables customers to proactively streamline patch management and prioritization efforts through advanced automation to continuously detect critical vulnerabilities and system threat exposures. CAC’s advanced analytics and reporting capabilities deliver valuable insights into which patches are most urgent, helping customer Basis teams allocate resources more efficiently, rapidly apply patches, and save time and money. Moreover, Pathlock CAC’s ABAP-native architecture ensures seamless integration with SAP standard solutions, enabling rapid customer adoption and minimal system downtime during patch deployment.
Pathlock empowers a comprehensive SAP cybersecurity strategy through five robust cybersecurity modules:
Pathlock is committed to helping our customers stay updated on the latest SAP Security Notes, so be sure to check back next month for the latest SAP Patch Tuesday release.
To see how Pathlock can help your organization with timely patch management, reach out and set up a demo today.
Share
SAP published 17 new and eight updated Security Notes for A...
SAP published 16 new and two updated Security Notes for Jul...
SAP published 10 new and two updated Security Notes for Jun...
In July 2023, the U.S. Securities and Exchange Co...