Skip links

SAP Security Patch Day – July 2024

Introduction

As we enter the second half of 2024, the SAP Security Patch Day for July has arrived, bringing with it a new set of critical updates for SAP systems worldwide. At RedRays, we understand the paramount importance of staying ahead in the ever-evolving landscape of cybersecurity. This report provides a comprehensive analysis of the latest SAP security patches, their implications, and how our solutions can help you maintain a robust security posture.

Overview of July 2024 SAP Security Patches

This month, SAP has released a total of 18 security notes, comprising 16 new patches and 2 updates to existing ones. While there are no HotNews notes this month, the release includes patches of varying criticality that demand attention from SAP administrators and security professionals.

Patch Breakdown:

  • High Priority: 2 patches
  • Medium Priority: 15 patches
  • Low Priority: 1 patch

Detailed Analysis of Key Security Notes

High Priority Patches

  1. Note 3483344 – [CVE-2024-39592] Missing Authorization check in SAP PDCE
    • Severity: High
    • CVSS Score: 7.7
    • This vulnerability in SAP PDCE could allow unauthorized access to sensitive functions. Immediate patching is crucial to prevent potential exploitation.
  2. Note 3490515 – [CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce
    • Severity: High
    • CVSS Score: 7.2
    • This vulnerability affects the ‘early login and registration’ feature of SAP Commerce. It’s important to note that the fix differs between public and on-premise variants. For on-premise installations, manual steps may be required in addition to applying the patch.

Medium Priority Patches of Note

  1. Note 3466801 – [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management
    • Severity: Medium
    • CVSS Score: 6.9
    • This vulnerability could lead to unauthorized access to sensitive information in SAP Landscape Management. While not as critical as the high-priority patches, it should be addressed promptly.
  2. Note 3459379 – [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)
    • Severity: Medium
    • CVSS Score: 6.5
    • This note was updated at the end of June with changed correction instructions. If relevant to your system, ensure you review and implement the latest version of the patch.
  3. Note 3461110 – [CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for Windows
    • Severity: Medium
    • CVSS Score: 5.0
    • While this vulnerability only poses a significant risk if a user’s workstation is already compromised, it highlights the potential weaknesses in password-based systems. This underscores the importance of implementing more secure authentication methods like Single Sign-On (SSO).
  4. Notes 3476348 and 3476340 – Vulnerabilities in SAP Enable Now
    • Severity: Medium and Low
    • CVSS Scores: 4.3 and 3.3 respectively
    • These notes address vulnerabilities in SAP Enable Now. It’s crucial to note the differences between cloud and on-premise variants, as they require different remediation steps.

Other Notable Patches

  1. Note 3454858 – [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
    • Severity: Medium
    • CVSS Score: 4.1
    • This vulnerability relates to potential information disclosure when using certain function modules in SAP ABAP systems. While the patch addresses the immediate vulnerability, it also highlights the need for ongoing monitoring of sensitive module usage.

The Importance of Comprehensive Patch Management

The July 2024 SAP Security Patch Day emphasizes the ongoing need for vigilance in SAP system security. Unpatched vulnerabilities remain one of the primary attack vectors for cybercriminals, making timely and effective patch management crucial for maintaining a strong security posture.

At RedRays, we offer solutions designed to streamline and enhance your SAP security processes:

  1. RedRays Patch Intelligence: Our solution provides a comprehensive overview of your SAP landscape’s patch status. It allows you to assess the potential impact of patches before implementation, enabling informed decision-making and efficient patch prioritization.
  2. Continuous Threat Monitoring: Beyond patching, our monitoring solution tracks the usage of sensitive modules and functions in real-time. This proactive approach allows you to detect and respond to potential exploitation attempts quickly, even in patched systems.

Best Practices for SAP Security

In light of these recent patches, we recommend the following best practices:

  1. Timely Patch Application: Prioritize the application of high and medium priority patches, especially those affecting components critical to your business operations.
  2. Regular Security Assessments: Conduct periodic security assessments of your SAP landscape to identify potential vulnerabilities before they can be exploited.
  3. Implement Least Privilege: Ensure that users and processes have only the minimum necessary access rights to perform their functions.
  4. Enhance Authentication: Consider implementing stronger authentication methods, such as multi-factor authentication or SSO, particularly for sensitive systems and roles.
  5. Continuous Monitoring: Implement real-time monitoring of your SAP systems to detect and respond to suspicious activities promptly.

Complete List of July 2024 SAP Security Notes

To provide a comprehensive overview of all the security patches released this month, we’ve compiled the following table. This list includes all 18 security notes, their descriptions, severity levels, and CVSS scores.

NoteDescriptionSeverityCVSS
3483344[CVE-2024-39592] Missing Authorization check in SAP PDCEHigh7.7
3490515[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP CommerceHigh7.2
3466801[CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape ManagementMedium6.9
3459379[CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)Medium6.5
3468681[CVE-2024-34685] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditorMedium6.1
3482217[CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse – Business Planning and SimulationMedium6.1
3467377[Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)Medium6.1
3457354[CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)Medium5.4
3483993[CVE-2024-34689] Prerequisite for Security Note 3458789Medium5.0
3485805[CVE-2024-34689] Allowlisting of callback-URLs in SAP Business Workflow (WebFlow Services)Medium5.0
3469958[CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal)Medium5.0
3461110[CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for WindowsMedium5.0
3458789[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)Medium5.0
3456952[CVE-2024-39599] Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP PlatformMedium4.7
3476348[CVE-2024-39596] Missing Authorization check vulnerability in SAP Enable NowMedium4.3
3101986Prepare CSP support for On-Premise down port for code dependency in SAP CRM WebClient UIMedium4.1
3454858[CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP PlatformMedium4.1
3476340[CVE-2024-34692] Unrestricted File upload vulnerability in SAP Enable NowLow3.3

This comprehensive list provides a clear overview of all the security notes released in the July 2024 SAP Security Patch Day. It’s crucial to review each of these notes and assess their relevance to your SAP landscape. While we’ve highlighted some of the most critical patches earlier in this report, all of these security notes deserve attention and should be considered in your patch management strategy.

Conclusion

The July 2024 SAP Security Patch Day, with its array of 18 security notes ranging from high to low priority, underscores the ongoing importance of vigilant SAP system security. At RedRays, we’re committed to helping you navigate these challenges effectively.

Our Patch Intelligence and Continuous Threat Monitoring solutions are designed to streamline your patch management process and enhance your overall security posture. By providing comprehensive insights into your SAP landscape and real-time threat detection, we enable you to stay one step ahead of potential security risks.

Remember, effective SAP security is not just about applying patches – it’s about developing a holistic, proactive approach to protecting your critical business systems. With RedRays as your trusted partner, you can confidently face the evolving landscape of SAP security challenges.

Contact us today to learn more about how we can help strengthen your SAP security strategy and ensure the continued protection of your valuable business assets.

Stay secure, stay vigilant, and let RedRays be your guide in the complex world of SAP security.

Udemy SAP Security Course.

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. This course will help you master SAP security fundamentals, from securing SAP environments to managing user access and addressing vulnerabilities. It is ideal for IT professionals and SAP administrators, providing practical skills to safeguard critical business assets. Whether you’re a beginner or an expert looking to deepen your SAP security knowledge, this course is perfect for you.

More to explorer

SAP Hash Cracking Techniques

Understanding Hash Cracking Hashing is a one-way encryption technique employed to ensure data integrity, authenticate information, and secure passwords alongside other sensitive

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.