SAP Patch Day: May 2024
Onapsis Research Labs supported SAP in patching a critical File Upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Author: Thomas Fritsch
Highlights of May SAP Security Notes analysis include:
- May Summary — Seventeen new and updated SAP security patches released, including three HotNews Notes and one High Priority Note.
- HotNews Note for SAP CX Commerce — Two vulnerabilities patched, both posing high risks to confidentiality, integrity, and availability of the application.
- Onapsis Research Labs Contribution — Our team supported SAP in patching one HotNews and two Medium Priority Notes.
SAP has released seventeen SAP Security Notes on its May Patch Day (including the notes that were released or updated since last Patch Tuesday) This includes three HotNews Notes and one High Priority Note.
One of the three HotNews Note in May is the periodically recurring SAP Security Note #2622660 which patches the latest Chromium vulnerabilities for SAP Business Client. It patches twenty-three Chromium vulnerabilities, including thirteen High Priority patches. The maximum CVSS score of all fixed vulnerabilities is not specified yet by SAP.
The New HotNews Notes in Detail
SAP Security Note #3455438, tagged with a CVSS score of 9.8, patches two critical vulnerabilities in SAP Customer Experience(CX) Commerce.
Both vulnerabilities are caused by external libraries used in SAP Commerce Cloud:
- The Swagger UI library is vulnerable to CVE-2019-17495 (CSS injection) allowing an attacker to perform Relative Path Overwrite (RPO) technique in CSS-based input fields.
- The Apache Calcite Avatica library, version 1.18.0 is vulnerable to CVE-2022-36364 (Remote code execution). The JDBC driver of this library does not check for expected interfaces before instantiating classes allowing code execution loaded via arbitrary classes and in rare cases remote code execution.
The second vulnerability is tagged with a CVSS score of 8.8 (compared to 9.8 for the first one) since the attacker requires a minimum set of privileges for a successful exploit.
SAP Commerce Cloud Patch Release 2205.24 contains the fixed versions of the affected libraries.
SAP Security Note #3448171, tagged with a CVSS score of 9.6, is the second new HotNews Note. It patches a critical File Upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform.
The Onapsis Research Labs (ORL) detected that due to a missing signature check for two content repositories, an unauthenticated attacker can upload a malicious file to the server which when accessed by a victim can allow an attacker to completely compromise the system.
Important: SAP provides a secure default configuration with the support packages mentioned in the note. They point out that this only affects new installations and therefore, administrators are required to apply manual configuration changes after upgrading to the respective support package level. The note refers to the knowledge base article #3448453 which was still under maintenance at the time of writing this blog post.
The New High Priority Note in Detail
SAP Security Note #3431794, tagged with a CVSS score of 8.1, patches a Cross-Site Scripting vulnerability in SAP BusinessObjects Business Intelligence Platform. Insufficient user input sanitization allows an attacker to manipulate a parameter in the Opendocument URL. A successful exploit can have a significant impact on the application’s confidentiality and integrity.
Further Contribution of the Onapsis Research Labs
In addition to HotNews Note #3448171, the ORL contributed to fixing two Cross-Site Scripting vulnerabilities, both tagged with a CVSS score of 6.1.
SAP Security Note #3460772 disables the obsolete Document Service handler of the Data Provisioning Service in SAP S/4HANA. An insufficient encoding of user-controlled inputs makes this handler vulnerable to Cross-Site Scripting(XSS).
The ORL detected another Cross-Site Scripting vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform. Due to missing input validation and output encoding of untrusted data, an unauthenticated attacker can inject malicious JavaScript code into a dynamically created web page. A successful exploitation allows reading and modifying sensitive information. SAP Security Note #3450286 provides the required patch that includes proper encoding.
Summary & Conclusions
With seventeen Security Notes, SAP’s May Patch Day is an average one. The Onapsis Research Labs have once more supported SAP in patching three vulnerabilities, including a very critical File Upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform.
| SAP Note | Type | Description | Priority | CVSS |
| 2622660 | Update | Security updates for the browser control Google Chromium delivered with SAP Business Client BC-FES-BUS-DSK | HotNews | 10,0 |
| 3455438 | New | [CVE-2019-17495] Multiple vulnerabilities in SAP CX Commerce CEC-SCC-PLA-PL | HotNews | 9,8 |
| 3448171 | New | [CVE-2024-33006] File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-SRV-KPR-CMS | HotNews | 9,6 |
| 3431794 | New | [CVE-2024-28165] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform BI-BIP-INV | High | 8,1 |
| 3448445 | New | [CVE-2024-34687] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform BC-SRV-GBT-GOS | Medium | 6,5 |
| 3441944 | Update | [CVE-2024-32730] Missing authorization check in SAP Enable Now Manager KM-SEN-MGR | Medium | 6,5 |
| 3460772 | New | [CVE-2024-33002] Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS) BC-EIM-ESH | Medium | 6,1 |
| 3450286 | New | [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-MID-AC | Medium | 6,1 |
| 3447467 | New | [CVE-2024-32731] Missing Authorization check in SAP My Travel Requests FI-TV-ODT-MTR | Medium | 5,5 |
| 2745860 | Update | Information Disclosure in Enterprise Services Repository of SAP Process Integration BC-XI-IBD-INF | Medium | 5,3 |
| 3349468 | New | [CVE-2024-33008] Memory Corruption vulnerability in SAP Replication Server BC-SYB-REP | Medium | 4,9 |
| 3449093 | New | [CVE-2024-33004] Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices) BI-BIP-INV | Medium | 4,3 |
| 3434666 | New | [Multiple CVEs] Missing Authorization Checks in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules) FI-FIO-AR-PAY | Medium | 4,3 |
| 2174651 | Update | Potential information disclosure relating to PI Integration Directory BC-XI-IBC | Medium | 4,3 |
| 1938764 | New | [CVE-2024-33009] SQL injection vulnerability in SAP Global Label Management (GLM) EHS-SAF-GLM | Medium | 4,2 |
| 3392049 | New | [CVE-2024-33000] Missing Authorization check in SAP Bank Account Management FIN-FSCM-CLM-BAM | Low | 3,5 |
| 3446076 | New | [CVE-2024-33007] Client-side script execution vulnerability in SAP UI5(PDFViewer) CA-UI5-SC | Low | 3,5 |
As always, the Onapsis Research Labs has already updated The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.