Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security Patch Day – June 2024

As we move into the sixth SAP Security Patch Day of 2024, the importance of maintaining robust security measures cannot be overstated. SAP has once again issued a series of security patches, this time comprising a moderate collection of 12 notes. In today’s digital landscape, the narrative is all too familiar: headlines filled with reports of data breaches, ransomware attacks, and other cyber threats that often share a common vulnerability—unpatched systems.

At RedRays, we understand that effective vulnerability assessment is critical to protecting your SAP environment from such threats. Neglecting this vital aspect of IT security can lead to significant repercussions, as evidenced by numerous high-profile breaches.

Our Vulnerability Assessment software is designed to assist organizations by providing invaluable insights into existing security gaps within SAP landscapes. It empowers you to proactively evaluate the potential impacts of specific vulnerabilities, offering a comprehensive overview of your security status before any exploitation can occur.

SAP Security Patches June 2024

For June 2024, SAP has released 10 new Security Notes and updated 2 from the end of May. Although there are no HotNews updates this time, it’s essential to take this month’s release seriously. The security notes address vulnerabilities across various categories, including Cross-Site Scripting (XSS), Denial-of-Service (DoS), malicious file uploads, Information Disclosure, and missing authorization checks.

Cross-Site Scripting (XSS)

Three notes in this release address XSS vulnerabilities, with CVSS scores ranging from 6.1 to 8.1. These attacks involve injecting malicious scripts into web applications, compromising user interactions.

  • Note 3457592: Addresses two issues in SAP Financial Consolidation (CVE-2024-37177 and CVE-2024-37178).
  • Note 3465129: Addresses an issue in the WebClient UI of SAP CRM (CVE-2024-34686).
  • Note 3450286: A known issue from May concerning CVE-2024-32733, with updated validity information.

Denial-of-Service (DoS)

DoS attacks aim to overload a target, rendering it incapable of delivering services.

  • Note 3460407: Describes a DoS vulnerability in SAP AS Java (CVE-2024-34688).
  • Note 3453170: Describes a DoS vulnerability in SAP NetWeaver and ABAP platform (CVE-2024-33001). A temporary workaround is available if authorization checks for RFCs are disabled.

Unrestricted File Uploads

Secure file handling remains crucial. This release includes a note addressing potential issues with SAP Document Builder service.

  • Note 3459379: Addresses unrestricted file upload vulnerabilities (CVE-2024-34683). Patching is required or consider creating a virus profile for relevant MIME types.

Authorization Checks

Missing authorization checks continue to be a common vulnerability. This month, four notes address this issue, with CVSS scores from 3.9 to 6.5.

  • Note 3466175: Missing authorization check in SAP S/4HANA for incoming payment files (CVE-2024-34691).
  • Note 3465455: Missing authorization check in SAP BW/4HANA Transformation and DTP (CVE-2024-37176).
  • Note 3457265: Missing authorization check in SAP Student Life Cycle Management (SLcM) (CVE-2024-34690).
  • Note 2638217: Updated note on switchable authorization checks for Central Finance, originally from 2018.

Information Disclosure

Two notes address vulnerabilities related to unwanted access to sensitive data.

  • Note 3425571: Potential access to server information on SAP AS Java (CVE-2024-28164). A workaround is available.
  • Note 3441817: Describes how an authenticated attacker can gain user credentials for remote server file access (CVE-2024-34684).

Summary by Severity

The June release contains a total of 12 patches categorized as follows:

SeverityNumber
Hot News0
High2
Medium8
Low2

Highlights of Security Notes

  • Note 3457592: XSS vulnerabilities in SAP Financial Consolidation (CVE-2024-37177), High severity with CVSS 8.1.
  • Note 3460407: DoS vulnerability in SAP NetWeaver AS Java (CVE-2024-34688), High severity with CVSS 7.5.
  • Note 3459379: Unrestricted file upload in SAP Document Builder (CVE-2024-34683), Medium severity with CVSS 6.5.

Conclusion

Ensuring your SAP systems are up-to-date with the latest security patches is crucial in defending against cyber threats. RedRays is committed to helping you navigate the complexities of vulnerability management, providing the tools and insights necessary to maintain a secure SAP environment.

For more information on the latest patches and how RedRays can assist you, visit our website.

Explore More

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.