Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security Patch Day – August 2024

Introduction

August 2024 has brought a new set of critical updates for SAP systems worldwide. This report provides a comprehensive analysis of the latest SAP security patches, their implications, and recommendations for maintaining a robust security posture.

Overview of August 2024 SAP Security Patches

This month, SAP has released a total of 25 security notes, including new patches and updates to existing ones. Of particular note are two HotNews bulletins that require immediate attention from SAP administrators and security professionals.

Patch Breakdown:

  • HotNews: 2 patches
  • High Priority: 4 patches
  • Medium Priority: 19 patches

Detailed Analysis of Key Security Notes

HotNews Patches

  1. Note 3479478 – [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
    • Severity: HotNews
    • CVSS Score: 9.8
    • Affected Versions: ENTERPRISE 430, 440
    This critical vulnerability could allow an unauthenticated attacker to gain unauthorized access to the SAP BusinessObjects BI Platform. Immediate patching is crucial to prevent potential exploitation.
  2. Note 3477196 – [CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps
    • Severity: HotNews
    • CVSS Score: 9.1
    • Affected Versions: < 4.11.130
    This vulnerability could allow attackers to perform unauthorized requests on behalf of the server. All applications built using affected versions of SAP Build Apps should be updated immediately.

High Priority Patches

  1. Note 3485284 – [CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service
    • Severity: High
    • CVSS Score: 8.2
    • Affected Versions: BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, BIWEBAPP 7.5
    This vulnerability could allow attackers to inject malicious XML code, potentially leading to unauthorized access or data manipulation.
  2. Note 3423268 – [CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection)
    • Severity: High
    • CVSS Score: 7.8
    • Affected Library Versions: SheetJS CE < 0.19.3
    This vulnerability could allow attackers to manipulate JavaScript object prototypes, potentially leading to arbitrary code execution.
  3. Note 3460407 – [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)
    • Severity: High
    • CVSS Score: 7.5
    • Affected Versions: MMR_SERVER 7.5
    This update to a note released in June 2024 addresses a vulnerability that could lead to a denial of service in SAP NetWeaver AS Java.
  4. Note 3459935 – [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud
    • Severity: High
    • CVSS Score: 7.4
    • Affected Versions: HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211
    This vulnerability could lead to unauthorized disclosure of sensitive information in SAP Commerce Cloud.

Notable Medium Priority Patches

  1. Note 3466801 – [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management
    • Severity: Medium
    • CVSS Score: 6.9
    • Affected Versions: VCM 3.00
    This update to a note released in July 2024 addresses an information disclosure vulnerability in SAP Landscape Management.
  2. Note 3495876 – [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS)
    • Severity: Medium
    • CVSS Score: 6.5
    • Affected CVEs: CVE-2023-0215, CVE-2022-0778, CVE-2023-0286
    • Affected Versions: 16.0.3, 16.0.4
    This patch addresses multiple vulnerabilities in open-source components used in SAP Replication Server.
  3. Note 3459379 – [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)
    • Severity: Medium
    • CVSS Score: 6.5
    • Affected Versions: S4CORE 100, 101, S4FND 102-108, SAP_BS_FND 702, 731, 746-748
    This update to a note released in June 2024 addresses an unrestricted file upload vulnerability in SAP Document Builder.

The Importance of Comprehensive Patch Management

The August 2024 SAP Security Patch Day emphasizes the ongoing need for vigilance in SAP system security. Unpatched vulnerabilities remain one of the primary attack vectors for cybercriminals, making timely and effective patch management crucial for maintaining a strong security posture.

Best Practices for SAP Security

In light of these recent patches, we recommend the following best practices:

  1. Timely Patch Application: Prioritize the application of HotNews and high priority patches, especially those affecting components critical to your business operations.
  2. Regular Security Assessments: Conduct periodic security assessments of your SAP landscape to identify potential vulnerabilities before they can be exploited.
  3. Implement Least Privilege: Ensure that users and processes have only the minimum necessary access rights to perform their functions.
  4. Enhance Authentication: Consider implementing stronger authentication methods, such as multi-factor authentication or SSO, particularly for sensitive systems and roles.
  5. Continuous Monitoring: Implement real-time monitoring of your SAP systems to detect and respond to suspicious activities promptly.

Complete List of August 2024 SAP Security Notes

To provide a comprehensive overview of all the security patches released this month, we’ve compiled the following table. This list includes all 25 security notes, their descriptions, severity levels, and CVSS scores.

Note# Title Priority CVSS
3479478 [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform HotNews 9.8
3477196 [CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps HotNews 9.1
3485284 [CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service High 8.2
3423268 [CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) High 7.8
3460407 [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) High 7.5
3459935 [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud High 7.4
3466801 [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management Medium 6.9
3495876 [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) Medium 6.5
3459379 [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) Medium 6.5
3474590 [CVE-2024-42376] Multiple Missing Authorization Check vulnerabilities in SAP Shared Service Framework Medium 6.5
3438085 [CVE-2024-33005] Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server Medium 6.3
3482217 [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse – Business Planning and Simulation Medium 6.1
3465455 [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP Medium 5.5
3483256 [CVE-2024-41735] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice Medium 5.4
3471450 [CVE-2024-41733] Information Disclosure Vulnerability in SAP Commerce Medium 5.3
3487537 [CVE-2024-41737] Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management) Medium 5.0
3458789 [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) Medium 5.0
3468102 [CVE-2024-41732] Improper Access Control in SAP Netweaver Application Server ABAP Medium 4.7
3150704 [CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks) Medium 4.5
3433545 [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform Medium 4.3
3475427 [CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work Medium 4.3
3477423 [CVE-2024-39591] Missing Authorization check in SAP Document Builder Medium 4.3
3479293 [CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM) Medium 4.3
3494349 [CVE-2024-41734] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform Medium 4.3
3454858 [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Medium 4.1

This comprehensive list provides a clear overview of all the security notes released in the August 2024 SAP Security Patch Day. It’s crucial to review each of these notes and assess their relevance to your SAP landscape.

Conclusion

The August 2024 SAP Security Patch Day, with its array of 25 security notes ranging from HotNews to medium priority, underscores the ongoing importance of vigilant SAP system security. By staying informed about these vulnerabilities and taking prompt action to apply the necessary patches, organizations can significantly reduce their risk exposure and maintain a robust security posture.

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.