Skip links
RedRays - Your SAP Security Solution
RedRays SAP Security Team

RedRays SAP Security Team

XML Injection Vulnerability in SAP BEx Web Java Runtime Export Web Service (CVE-2024-42374)

Vulnerability Details

  • CVE ID: CVE-2024-42374
  • CVSS v3.0 Base Score: 8.2 (High)
  • Affected Component: SAP BEx Web Java Runtime Export Web Service
  • Vulnerability Type: XML Injection

Description

The vulnerability affects the BEx Web Java Runtime Export Web Service, which fails to sufficiently validate XML documents accepted from untrusted sources. This flaw allows an attacker to potentially retrieve information from the SAP ADS system and exhaust the number of XMLForm services, rendering the SAP ADS PDF creation functionality unavailable.

Impact

If successfully exploited, this vulnerability can lead to:

  • Confidentiality breach: Unauthorized retrieval of information from the SAP ADS system
  • Availability disruption: Potential denial of service for SAP ADS rendering (PDF creation)

The high CVSS score of 8.2 underscores the severity of this vulnerability and the urgent need for patching.

Affected Versions

  • SAP NetWeaver BI 7.50
  • Specific to PDF export using Java ALV and ADS


PoC

Details will be available in 3 months after this patch day.

 Patch of CVE-2024-42374 vulnerability

Mitigation

SAP has released patches to address this vulnerability. The XML parser has been updated to check for vulnerabilities in the XML input.

Patch Information

For SAP NetWeaver BI 7.50 systems:

  • Import the BI Java Patch for SAP NW 7.50 BI JAVA into your BI-System
  • Refer to SAP Note 3377693 for detailed delivery information and other available patch options
  • Also consult SAP Note 1512355 for the delivery schedule

Patches are available for the following components:

  1. BI BASE EXPORT SERVICES 7.50
  2. BI BASE FOUNDATION 7.50
  3. BI BASE SERVICES 7.50

It is strongly recommended that all affected organizations apply these patches as soon as possible.

Workaround

SAP has not provided any workaround for this vulnerability. The only mitigation is to apply the provided patches.

Recommendations

  1. Identify all instances of SAP NetWeaver BI 7.50 in your organization, particularly those using BEx Web Java Runtime Export Web Service.
  2. Prioritize the application of the security patches based on the criticality of the affected systems.
  3. Conduct a thorough security assessment of your BI environment to identify any potential compromise.
  4. Review and enhance your input validation mechanisms, especially for XML documents from untrusted sources.
  5. Monitor system logs for any suspicious activities, particularly those related to PDF exports and ADS rendering.

Conclusion

The discovery of CVE-2024-42374 highlights the ongoing importance of robust security measures in business intelligence platforms, particularly in data export functionalities. Organizations using SAP NetWeaver BI should treat this vulnerability with high urgency and apply the patches immediately to protect their critical business data and operations.

Udemy SAP Security Course.

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. This course will help you master SAP security fundamentals, from securing SAP environments to managing user access and addressing vulnerabilities. It is ideal for IT professionals and SAP administrators, providing practical skills to safeguard critical business assets. Whether you’re a beginner or an expert looking to deepen your SAP security knowledge, this course is perfect for you.

More to explorer

SAP Security Patch Day – September 2024

September 10, 2024

As the second Tuesday of September 2024 approaches, SAP administrators and security professionals are preparing for another crucial event: SAP Security Patch

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. 

JOIN