SAP Patch Day: January 2024
Highlights of January SAP Security Notes analysis include:
- January Summary—12 new and updated SAP security patches released, including three HotNews Notes and four High Priority Notes
- SAP HotNews Notes—Additional SAP solution and existing custom applications based on node.js affected
- Onapsis Research Labs Contribution—Our team supported SAP in patching an In Disclosure vulnerability in SAP ICM and SAP Web Dispatcher
The new SAP Security year has started with 12 new and updated SAP Security Notes, including three HotNews Notes and four High Priority Notes.
SAP HotNews Security Note #3411067, tagged with a CVSS score of 9.1, was initially released in December 2023 and patches a critical Privilege Escalation vulnerability in SAP BTP Security Services Integration Libraries and Programming Infrastructure. The vulnerabilities are tracked under CVE-2023-49583, CVE-2023-50422, CVE-2023-50423, and CVE-2023-50424.
The note was updated one day after December Patch Day with additional information in multiple text sections. Customers who already applied the patch are not affected.
The new HotNews Notes in Detail
SAP has detected additional applications that can be affected by one or more of the CVEs that were addressed in SAP Security Note #3411067.
SAP Security Note #3413475, tagged with a CVSS score of 9.1, patches an Escalation of Privileges vulnerability in SAP Edge Integration Cell due to CVE-2023-49583 and CVE-2023-50422. SAP Edge Integration Cell depends on SAP BTP Security Services Integration Libraries and Programming Infrastructures and is a hybrid solution that is offered with the SAP Integration Suite to enable API-led integration. SAP has released the version 8.9.13 of SAP Edge Integration Cell which patches the vulnerability. Lower, unpatched versions, allow unauthenticated attackers to obtain arbitrary permissions within the application.
SAP Security Note #3412456, tagged with a CVSS score of 9.1, addresses SAP customers who have existing node.js applications that were created with SAP Business Application Studio, SAP Web IDE Full-Stack, or SAP Web IDE for SAP HANA. Such applications can also be affected by CVE-2023-49583, mentioned above, since their dependencies might refer to vulnerable versions of the libraries @sap/approuter and @sap/xssec. Therefore, note #3412456 recommends upgrading the dependencies of existing node.js applications to the newest versions of these libraries introduced with SAP Security Note #3411067.
The HotPriority Notes in Detail
SAP Security Note #3411869, tagged with a CVSS score of 8.4, patches a Code Injection vulnerability in SAP Application Interface Framework (File Adapter). A vulnerable function module of the application allows an attacker to traverse through various layers and execute OS commands directly. Successful exploits can cause considerable impact on confidentiality, integrity and availability of the application. SAP already patched an SQL Injection vulnerability of the affected function module in 2012 with SAP Security Note #1673713. Due to the now detected, more critical, OS Command Injection vulnerability and based on the fact that the function module was meanwhile flagged as Obsolete, SAP decided to disable the complete function module with SAP Note #3411869.
SAP Security Note #3389917, tagged with a CVSS score of 7.5, affects the standalone SAP Web Dispatcher, SAP Web Dispatcher embedded in the ASCS instance, and Internet Communication Manager (ICM) in SAP NetWeaver Application Server ABAP. If unpatched, the vulnerability allows an unauthenticated attacker to perform a DOS attack over the network by generating a massive number of HTTP/2 requests and canceling them later. Attackers could use this technique to flood the memory and cause a high impact on the availability of the application. The vulnerability affects only the HTTP/2 protocol. HTTP/1 is not affected.
SAP Security Note #3386378, tagged with a CVSS score of 7.4, patches an Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge). The note does not provide details of the vulnerability, but it seems like too much information was added to the URL headers, exposing sensitive information. SAP recommends downloading and installing SAP GUI connector for Microsoft Edge, version 3.0 accessible under https://microsoftedge.microsoft.com/addons/detail/sap-gui-connector-for-mic/mhpigfckgphoiifbehgajfbkocihbaho. The note also describes a workaround based on restricting access to specific sites. But as always, SAP points out that this workaround is a temporary fix and is not a permanent solution.
A manual correction is required to patch an Improper Authorization Check vulnerability in SAP LT Replication(LTR) Server. Based on SAP Security Note #3407617, tagged with a CVSS score of 7.3, customers must assign a job user to the LTR jobs who has role SAP_IUUC_REPL_ADMIN and all rule specific authorizations assigned. It’s possible we can expect an update of this note in the near future since the solution seems to be incomplete. The Solution section of the note says that the “Authorization check has been approved”. So, one would expect some updated workbench objects and not only an adjustment of the involved user and the assigned authorizations. At the time of writing this blog post, the note does not include any automatic correction for workbench objects.
Onapsis Contribution
The Onapsis Research Labs (ORL) supported SAP in patching an Information Disclosure vulnerability in SAP Internet Communication Manager (ICM) and SAP Web Dispatcher. The vulnerability was detected by our ORL team during a pen test. They recognized that under certain conditions, SAP ICM and SAP Web Dispatcher could allow an attacker to access information which would otherwise be restricted. The vulnerability may occur when the HTTP logging handler is configured to log cookies or all the request/response headers via the profile parameter icm/HTTP/logging_<x> or icm/HTTP/logging_client_<x>, using specific patterns for the LOGFORMAT parameter. The corresponding SAP Security Note #3392626 is tagged with a CVSS score of 4.1 and refers to the appropriate kernel and SAP Web Dispatcher patches.
Summary & Conclusions
With only twelve Security Notes, 2024 has started with a calm Patch Day. But since this number includes two new HotNews and four High Priority Notes, all affected customers should apply the corresponding patches as soon as possible to prevent the new year from starting with bad surprises.
| SAP Note | Type | Description | Priority | CVSS |
| 3324732 | Update | [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) BC-JAS-SEC | Medium | 5,3 |
| 3413475 | New | [Multiple CVEs] Escalation of Privileges in SAP Edge Integration Cell BC-CP-IS-EDG-DPL | HotNews | 9,1 |
| 3407617 | New | [CVE-2024-21735] Improper Authorization check in SAP LT Replication Server CA-LT-SLT | High | 7,3 |
| 3412456 | New | [CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA CA-BAS-S8D | HotNews | 9,1 |
| 3260667 | New | [CVE-2024-21736] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management) FIN-FSCM-PF-IHB | Medium | 6,4 |
| 3190894 | New | [CVE-2024-21734] URL Redirection vulnerability in SAP Marketing (Contacts App) CEC-MKT-DM-CON | Low | 3,7 |
| 3386378 | New | [CVE-2024-22125] Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) BC-FES-CTL | High | 7,4 |
| 3392626 | New | [CVE-2024-22124] Information Disclosure vulnerability in SAP NetWeaver Internet Communication Manager BC-CST-IC | Medium | 4,1 |
| 3389917 | New | [CVE-2023-44487] Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform BC-CST-IC | High | 7,5 |
| 3411869 | New | [CVE-2024-21737] Code Injection vulnerability in SAP Application Interface Framework (File Adapter) BC-SRV-AIF | High | 8,4 |
| 3387737 | New | [CVE-2024-21738] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform BC-SRV-COM | Medium | 4,1 |
| 3411067 | Update | [Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries BC-CP-CF-SEC-LIB | HotNews | 9,1 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.