SAP Security Patch Day – October 2024

As SAP administrators and security professionals gear up for the second Tuesday of October 2024, anticipation builds for the latest SAP Security Patch Day. This essential event focuses on delivering critical security updates to address a range of vulnerabilities across various SAP products and components. Maintaining a strong security posture in SAP environments remains paramount, and this month’s patches underscore the ongoing commitment to safeguarding enterprise systems.

This month, 8 new security notes have been released, addressing vulnerabilities with CVSS scores ranging up to 9.8, indicating high-priority issues. These vulnerabilities impact a diverse set of SAP products, including the BusinessObjects Business Intelligence Platform, SAP Commerce Backoffice, SAP Enterprise Project Connection, and more.

Among the most notable vulnerabilities this month are:

• CVE-2024-41730 in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 9.8, representing a critical missing authentication check that could allow unauthorized access to system tokens.
• CVE-2024-37179 in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) with a CVSS score of 7.7, involving insecure file operations that permit authenticated users to download arbitrary files from the server.
• CVE-2022-23302 in SAP Enterprise Project Connection with a CVSS score of 8.0, related to multiple vulnerabilities in the Spring Framework and Log4j libraries.
• CVE-2024-45278 in SAP Commerce Backoffice with a CVSS score of 5.4, a Cross-Site Scripting (XSS) vulnerability that could compromise user sessions.
• CVE-2024-45283 in SAP NetWeaver AS for Java (Destination Service) with a CVSS score of 6.0, an information disclosure vulnerability allowing unauthorized access to sensitive data.

Top 5 Vulnerabilities This Month

1. CVE-2024-41730 – SAP BusinessObjects Business Intelligence Platform

   • CVSS Score: 9.8
   • Type: Missing Authentication Check
   • Description: This critical vulnerability allows an unauthorized user to obtain a login token via a REST endpoint, potentially leading to full system compromise.
   • Recommendation: Immediately apply the relevant patches and update the Trusted_Auth_Shared_Secret property to Disabled in the specified configuration files. Restart the application servers as instructed in the SAP Security Note.

2. CVE-2024-37179 – SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

   • CVSS Score: 7.7
   • Type: Insecure File Operations
   • Description: Authenticated users can use this vulnerability to download arbitrary files from the server, posing a significant risk to application confidentiality.
   • Recommendation: Apply the provided patch and create a PersonalFile_AllowList.txt file in the specified configuration directory, listing only trusted folders for data access.

      

3. CVE-2022-23302 – SAP Enterprise Project Connection

   • CVSS Score: 8.0
   • Type: Multiple Vulnerabilities in Spring Framework and Log4j
   • Description: The use of vulnerable versions of Spring Framework and Log4j libraries could allow attackers to execute arbitrary code.
   • Recommendation: Update the affected libraries to the secure versions as outlined in the SAP Security Note and apply all related patches.

      

4. CVE-2024-45278 – SAP Commerce Backoffice

   • CVSS Score: 5.4
   • Type: Cross-Site Scripting (XSS)
   • Description: Insufficient encoding of user inputs in the Backoffice component allows attackers to inject malicious scripts, potentially compromising user sessions.
   • Recommendation: Install the latest patches that enforce strict Content Security Policies (CSP) and ensure proper encoding of all user inputs.

      

5. CVE-2024-45283 – SAP NetWeaver AS for Java (Destination Service)

   • CVSS Score: 6.0
   • Type: Information Disclosure
   • Description: This vulnerability enables authorized attackers to access sensitive information, including usernames and passwords, when creating RFC destinations.
   • Recommendation: Apply the security patches promptly and verify that all authorization settings are correctly configured to prevent unauthorized data access.

Complete Table of Patched Vulnerabilities

Detailed Vulnerability Insights

1. CVE-2024-41730 – SAP BusinessObjects Business Intelligence Platform

• CVSS Score: 9.8 (Critical)
• Description: An absence of authentication checks allows unauthorized users to obtain login tokens via a REST API, potentially leading to full system compromise. This poses severe risks to the confidentiality, integrity, and availability of sensitive data.
• Solution: Apply the relevant patches immediately. Additionally, configure the Trusted_Auth_Shared_Secret property to Disabled in the specified configuration files located in the installation directories for both Windows and Linux environments. Restart the Tomcat server to enforce changes.

2. CVE-2024-37179 – SAP BusinessObjects BI Platform (Web Intelligence)

• CVSS Score: 7.7
• Description: This vulnerability allows authenticated users to download any file from the server hosting the Web Intelligence Reporting Server, severely impacting application confidentiality.
• Solution: Install the patch provided in the SAP Security Note. To further restrict access, create a PersonalFile_AllowList.txt file in the configuration directory, listing only approved directories from which data can be fetched.

3. CVE-2022-23302 – SAP Enterprise Project Connection

• CVSS Score: 8.0
• Description: Multiple vulnerabilities in the Spring Framework and Log4j libraries used by SAP Enterprise Project Connection can be exploited to execute arbitrary code, compromising the application’s security.
• Solution: Upgrade to the latest secure versions of Spring Framework and Log4j as detailed in the SAP Security Note. Apply all associated patches to mitigate these vulnerabilities.

4. CVE-2024-45278 – SAP Commerce Backoffice

• CVSS Score: 5.4
• Description: A Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice allows attackers to inject malicious scripts, which can compromise user sessions and data integrity.
• Solution: Apply the latest security patches that enforce strict Content Security Policies (CSP) to prevent script execution. Ensure all user inputs are properly encoded to eliminate XSS risks.

5. CVE-2024-45283 – SAP NetWeaver AS for Java (Destination Service)

• CVSS Score: 6.0
• Description: This information disclosure vulnerability permits authorized attackers to access sensitive data, such as usernames and passwords, during the creation of RFC destinations.
• Solution: Implement the provided patches promptly. Additionally, verify and adjust authorization settings to ensure that only authorized personnel can access sensitive information.

General Recommendations

• Immediate Patch Deployment: All organizations utilizing the affected SAP products should prioritize the installation of the released patches to mitigate potential security risks.
• Security Configuration Audit: Conduct a thorough review of current security settings to ensure they align with SAP’s best practices and recommendations. Adjust configurations as necessary to enhance security.
• Continuous Monitoring: Regularly monitor system logs and activities to detect any suspicious behavior or attempts to use vulnerabilities. Implement automated alerting where possible.
• Staff Training: Educate administrators and users about the importance of applying security updates and recognizing potential security threats. Awareness is a key component of maintaining a secure SAP environment.