Introduction
As we enter the second half of 2024, the SAP Security Patch Day for July has arrived, bringing with it a new set of critical updates for SAP systems worldwide. At RedRays, we understand the paramount importance of staying ahead in the ever-evolving landscape of cybersecurity. This report provides a comprehensive analysis of the latest SAP security patches, their implications, and how our solutions can help you maintain a robust security posture.
Overview of July 2024 SAP Security Patches
This month, SAP has released a total of 18 security notes, comprising 16 new patches and 2 updates to existing ones. While there are no HotNews notes this month, the release includes patches of varying criticality that demand attention from SAP administrators and security professionals.
Patch Breakdown:
- High Priority: 2 patches
- Medium Priority: 15 patches
- Low Priority: 1 patch
Detailed Analysis of Key Security Notes
High Priority Patches
- Note 3483344 – [CVE-2024-39592] Missing Authorization check in SAP PDCE
- Severity: High
- CVSS Score: 7.7
- This vulnerability in SAP PDCE could allow unauthorized access to sensitive functions. Immediate patching is crucial to prevent potential exploitation.
- Note 3490515 – [CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce
- Severity: High
- CVSS Score: 7.2
- This vulnerability affects the ‘early login and registration’ feature of SAP Commerce. It’s important to note that the fix differs between public and on-premise variants. For on-premise installations, manual steps may be required in addition to applying the patch.
Medium Priority Patches of Note
- Note 3466801 – [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management
- Severity: Medium
- CVSS Score: 6.9
- This vulnerability could lead to unauthorized access to sensitive information in SAP Landscape Management. While not as critical as the high-priority patches, it should be addressed promptly.
- Note 3459379 – [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)
- Severity: Medium
- CVSS Score: 6.5
- This note was updated at the end of June with changed correction instructions. If relevant to your system, ensure you review and implement the latest version of the patch.
- Note 3461110 – [CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for Windows
- Severity: Medium
- CVSS Score: 5.0
- While this vulnerability only poses a significant risk if a user’s workstation is already compromised, it highlights the potential weaknesses in password-based systems. This underscores the importance of implementing more secure authentication methods like Single Sign-On (SSO).
- Notes 3476348 and 3476340 – Vulnerabilities in SAP Enable Now
- Severity: Medium and Low
- CVSS Scores: 4.3 and 3.3 respectively
- These notes address vulnerabilities in SAP Enable Now. It’s crucial to note the differences between cloud and on-premise variants, as they require different remediation steps.
Other Notable Patches
- Note 3454858 – [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
- Severity: Medium
- CVSS Score: 4.1
- This vulnerability relates to potential information disclosure when using certain function modules in SAP ABAP systems. While the patch addresses the immediate vulnerability, it also highlights the need for ongoing monitoring of sensitive module usage.
The Importance of Comprehensive Patch Management
The July 2024 SAP Security Patch Day emphasizes the ongoing need for vigilance in SAP system security. Unpatched vulnerabilities remain one of the primary attack vectors for cybercriminals, making timely and effective patch management crucial for maintaining a strong security posture.
At RedRays, we offer solutions designed to streamline and enhance your SAP security processes:
- RedRays Patch Intelligence: Our solution provides a comprehensive overview of your SAP landscape’s patch status. It allows you to assess the potential impact of patches before implementation, enabling informed decision-making and efficient patch prioritization.
- Continuous Threat Monitoring: Beyond patching, our monitoring solution tracks the usage of sensitive modules and functions in real-time. This proactive approach allows you to detect and respond to potential exploitation attempts quickly, even in patched systems.
Best Practices for SAP Security
In light of these recent patches, we recommend the following best practices:
- Timely Patch Application: Prioritize the application of high and medium priority patches, especially those affecting components critical to your business operations.
- Regular Security Assessments: Conduct periodic security assessments of your SAP landscape to identify potential vulnerabilities before they can be exploited.
- Implement Least Privilege: Ensure that users and processes have only the minimum necessary access rights to perform their functions.
- Enhance Authentication: Consider implementing stronger authentication methods, such as multi-factor authentication or SSO, particularly for sensitive systems and roles.
- Continuous Monitoring: Implement real-time monitoring of your SAP systems to detect and respond to suspicious activities promptly.
Complete List of July 2024 SAP Security Notes
To provide a comprehensive overview of all the security patches released this month, we’ve compiled the following table. This list includes all 18 security notes, their descriptions, severity levels, and CVSS scores.
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3483344 | [CVE-2024-39592] Missing Authorization check in SAP PDCE | High | 7.7 |
| 3490515 | [CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce | High | 7.2 |
| 3466801 | [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management | Medium | 6.9 |
| 3459379 | [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) | Medium | 6.5 |
| 3468681 | [CVE-2024-34685] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor | Medium | 6.1 |
| 3482217 | [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse – Business Planning and Simulation | Medium | 6.1 |
| 3467377 | [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI) | Medium | 6.1 |
| 3457354 | [CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management) | Medium | 5.4 |
| 3483993 | [CVE-2024-34689] Prerequisite for Security Note 3458789 | Medium | 5.0 |
| 3485805 | [CVE-2024-34689] Allowlisting of callback-URLs in SAP Business Workflow (WebFlow Services) | Medium | 5.0 |
| 3469958 | [CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal) | Medium | 5.0 |
| 3461110 | [CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for Windows | Medium | 5.0 |
| 3458789 | [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) | Medium | 5.0 |
| 3456952 | [CVE-2024-39599] Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform | Medium | 4.7 |
| 3476348 | [CVE-2024-39596] Missing Authorization check vulnerability in SAP Enable Now | Medium | 4.3 |
| 3101986 | Prepare CSP support for On-Premise down port for code dependency in SAP CRM WebClient UI | Medium | 4.1 |
| 3454858 | [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | Medium | 4.1 |
| 3476340 | [CVE-2024-34692] Unrestricted File upload vulnerability in SAP Enable Now | Low | 3.3 |
This comprehensive list provides a clear overview of all the security notes released in the July 2024 SAP Security Patch Day. It’s crucial to review each of these notes and assess their relevance to your SAP landscape. While we’ve highlighted some of the most critical patches earlier in this report, all of these security notes deserve attention and should be considered in your patch management strategy.
Conclusion
The July 2024 SAP Security Patch Day, with its array of 18 security notes ranging from high to low priority, underscores the ongoing importance of vigilant SAP system security. At RedRays, we’re committed to helping you navigate these challenges effectively.
Our Patch Intelligence and Continuous Threat Monitoring solutions are designed to streamline your patch management process and enhance your overall security posture. By providing comprehensive insights into your SAP landscape and real-time threat detection, we enable you to stay one step ahead of potential security risks.
Remember, effective SAP security is not just about applying patches – it’s about developing a holistic, proactive approach to protecting your critical business systems. With RedRays as your trusted partner, you can confidently face the evolving landscape of SAP security challenges.
Contact us today to learn more about how we can help strengthen your SAP security strategy and ensure the continued protection of your valuable business assets.
Stay secure, stay vigilant, and let RedRays be your guide in the complex world of SAP security.
