Introduction
August 2024 has brought a new set of critical updates for SAP systems worldwide. This report provides a comprehensive analysis of the latest SAP security patches, their implications, and recommendations for maintaining a robust security posture.
Overview of August 2024 SAP Security Patches
This month, SAP has released a total of 25 security notes, including new patches and updates to existing ones. Of particular note are two HotNews bulletins that require immediate attention from SAP administrators and security professionals.
Patch Breakdown:
- HotNews: 2 patches
- High Priority: 4 patches
- Medium Priority: 19 patches
Detailed Analysis of Key Security Notes
HotNews Patches
- Note 3479478 – [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform
- Severity: HotNews
- CVSS Score: 9.8
- Affected Versions: ENTERPRISE 430, 440
- Note 3477196 – [CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps
- Severity: HotNews
- CVSS Score: 9.1
- Affected Versions: < 4.11.130
High Priority Patches
- Note 3485284 – [CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service
- Severity: High
- CVSS Score: 8.2
- Affected Versions: BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, BIWEBAPP 7.5
- Note 3423268 – [CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection)
- Severity: High
- CVSS Score: 7.8
- Affected Library Versions: SheetJS CE < 0.19.3
- Note 3460407 – [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)
- Severity: High
- CVSS Score: 7.5
- Affected Versions: MMR_SERVER 7.5
- Note 3459935 – [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud
- Severity: High
- CVSS Score: 7.4
- Affected Versions: HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211
Notable Medium Priority Patches
- Note 3466801 – [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management
- Severity: Medium
- CVSS Score: 6.9
- Affected Versions: VCM 3.00
- Note 3495876 – [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS)
- Severity: Medium
- CVSS Score: 6.5
- Affected CVEs: CVE-2023-0215, CVE-2022-0778, CVE-2023-0286
- Affected Versions: 16.0.3, 16.0.4
- Note 3459379 – [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)
- Severity: Medium
- CVSS Score: 6.5
- Affected Versions: S4CORE 100, 101, S4FND 102-108, SAP_BS_FND 702, 731, 746-748
The Importance of Comprehensive Patch Management
The August 2024 SAP Security Patch Day emphasizes the ongoing need for vigilance in SAP system security. Unpatched vulnerabilities remain one of the primary attack vectors for cybercriminals, making timely and effective patch management crucial for maintaining a strong security posture.
Best Practices for SAP Security
In light of these recent patches, we recommend the following best practices:
- Timely Patch Application: Prioritize the application of HotNews and high priority patches, especially those affecting components critical to your business operations.
- Regular Security Assessments: Conduct periodic security assessments of your SAP landscape to identify potential vulnerabilities before they can be exploited.
- Implement Least Privilege: Ensure that users and processes have only the minimum necessary access rights to perform their functions.
- Enhance Authentication: Consider implementing stronger authentication methods, such as multi-factor authentication or SSO, particularly for sensitive systems and roles.
- Continuous Monitoring: Implement real-time monitoring of your SAP systems to detect and respond to suspicious activities promptly.
Complete List of August 2024 SAP Security Notes
To provide a comprehensive overview of all the security patches released this month, we’ve compiled the following table. This list includes all 25 security notes, their descriptions, severity levels, and CVSS scores.
| Note# | Title | Priority | CVSS |
|---|---|---|---|
| 3479478 | [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform | HotNews | 9.8 |
| 3477196 | [CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps | HotNews | 9.1 |
| 3485284 | [CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service | High | 8.2 |
| 3423268 | [CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) | High | 7.8 |
| 3460407 | [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) | High | 7.5 |
| 3459935 | [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud | High | 7.4 |
| 3466801 | [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management | Medium | 6.9 |
| 3495876 | [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) | Medium | 6.5 |
| 3459379 | [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) | Medium | 6.5 |
| 3474590 | [CVE-2024-42376] Multiple Missing Authorization Check vulnerabilities in SAP Shared Service Framework | Medium | 6.5 |
| 3438085 | [CVE-2024-33005] Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server | Medium | 6.3 |
| 3482217 | [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse – Business Planning and Simulation | Medium | 6.1 |
| 3465455 | [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP | Medium | 5.5 |
| 3483256 | [CVE-2024-41735] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice | Medium | 5.4 |
| 3471450 | [CVE-2024-41733] Information Disclosure Vulnerability in SAP Commerce | Medium | 5.3 |
| 3487537 | [CVE-2024-41737] Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management) | Medium | 5.0 |
| 3458789 | [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) | Medium | 5.0 |
| 3468102 | [CVE-2024-41732] Improper Access Control in SAP Netweaver Application Server ABAP | Medium | 4.7 |
| 3150704 | [CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks) | Medium | 4.5 |
| 3433545 | [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform | Medium | 4.3 |
| 3475427 | [CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work | Medium | 4.3 |
| 3477423 | [CVE-2024-39591] Missing Authorization check in SAP Document Builder | Medium | 4.3 |
| 3479293 | [CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM) | Medium | 4.3 |
| 3494349 | [CVE-2024-41734] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform | Medium | 4.3 |
| 3454858 | [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | Medium | 4.1 |
This comprehensive list provides a clear overview of all the security notes released in the August 2024 SAP Security Patch Day. It’s crucial to review each of these notes and assess their relevance to your SAP landscape.
Conclusion
The August 2024 SAP Security Patch Day, with its array of 25 security notes ranging from HotNews to medium priority, underscores the ongoing importance of vigilant SAP system security. By staying informed about these vulnerabilities and taking prompt action to apply the necessary patches, organizations can significantly reduce their risk exposure and maintain a robust security posture.
