As the second Tuesday of September 2024 approaches, SAP administrators and security professionals are preparing for another crucial event: SAP Security Patch Day. This month’s release addresses several vulnerabilities across various SAP products and components, emphasizing the ongoing importance of maintaining a robust security posture in SAP environments.
This month, 17 new security notes have been released. The highest CVSS score is 7.4, indicating the presence of high-priority vulnerabilities. The vulnerabilities affect a wide range of SAP products, including NetWeaver, Business Warehouse, and Commerce Cloud.
Among the most significant vulnerabilities this month is an information disclosure issue in SAP Commerce Cloud (CVE-2024-33003) with a CVSS score of 7.4. This high-priority vulnerability could potentially lead to unauthorized access to sensitive information. Additionally, a Cross-Site Scripting (XSS) vulnerability has been discovered in the SAP NetWeaver AS Java logon application (CVE-2024-45280), which could allow attackers to inject malicious scripts and potentially compromise user sessions.
Let’s look at the top 5 vulnerabilities this month by severity:
1. CVE-2024-33003 in SAP Commerce Cloud with a CVSS score of 7.4 is an information disclosure vulnerability that could lead to unauthorized access to sensitive data.
2. CVE-2024-45286 in SAP Production and Revenue Accounting has a CVSS score of 6.5 and is related to a missing authorization check in the Tobin interface, potentially allowing unauthorized access to sensitive financial data.
3. CVE-2024-45281 in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 5.8 is a DLL hijacking vulnerability that could be used for privilege escalation.
4. Multiple vulnerabilities (several CVEs) in SAP NetWeaver Application Server for ABAP and ABAP Platform with a combined CVSS score of 5.4 could impact the integrity and availability of the ABAP platform.
5. CVE-2024-45279 in SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel) has a CVSS score of 6.1 and is a Cross-Site Scripting (XSS) vulnerability that could be used to compromise user sessions.
Below is a complete table of all vulnerabilities patched this month:
| CVE | Component | Vulnerability Type | CVSS |
|---|---|---|---|
| CVE-2024-33003 | SAP Commerce Cloud | Information Disclosure | 7.4 |
| CVE-2024-45286 | SAP Production and Revenue Accounting (Tobin interface) | Missing Authorization Check | 6.5 |
| CVE-2024-45281 | SAP BusinessObjects Business Intelligence Platform | DLL Hijacking | 5.8 |
| Multiple CVEs | SAP NetWeaver AS for ABAP and ABAP Platform | Multiple Vulnerabilities | 5.4 |
| CVE-2024-45279 | SAP NetWeaver AS for ABAP (CRM Blueprint Application Builder) | Cross-Site Scripting (XSS) | 6.1 |
| CVE-2024-45280 | SAP NetWeaver AS Java (Logon Application) | Cross-Site Scripting (XSS) | 4.8 |
| CVE-2024-45283 | SAP NetWeaver AS for Java (Destination Service) | Information Disclosure | 6.0 |
| CVE-2024-44112 | SAP for Oil & Gas (Transportation and Distribution) | Missing Authorization Check | 4.3 |
| CVE-2024-44120 | SAP NetWeaver Enterprise Portal | Cross-Site Scripting (XSS) | 4.7 |
| CVE-2024-42378 | eProcurement on S/4HANA | Cross-Site Scripting (XSS) | 6.1 |
| CVE-2024-44113 | SAP Business Warehouse (BEx Analyzer) | Information Disclosure | 4.3 |
| CVE-2024-41729 | SAP NetWeaver BW (BEx Analyzer) | Information Disclosure | 4.3 |
| CVE-2013-3587 | SAP Commerce Cloud | Information Disclosure | 5.9 |
| CVE-2024-44114 | SAP NetWeaver AS for ABAP and ABAP Platform | Missing Authorization Check | 2.0 |
| CVE-2024-45284 | SAP Student Life Cycle Management (SLcM) | Missing Authorization Check | 2.7 |
| CVE-2024-41728 | SAP NetWeaver AS for ABAP and ABAP Platform | Missing Authorization Check | 2.7 |
| Multiple CVEs | SAP Replication Server (FOSS) | Multiple Vulnerabilities | 6.5 |
SAP Security Patch Day – June 2024 Detailed Overview
