SAP Patch Day: November 2024
Highlights of November SAP Security Notes analysis include:
- November Summary — Ten new and updated SAP security patches released, including two High Priority Notes
- SAP High Priority Notes — Cross-Site Scripting vulnerability in SAP Web Dispatcher allows execution of arbitrary code on the server
- Onapsis Research Labs Contribution — Our team supported SAP in patching three vulnerabilities in November
SAP has published ten new and updated SAP Security Notes in its November Patch Day, including two High Priority Notes. Three Security Notes were published with contributions from the Onapsis Research Labs.
High Priority SAP Security Note #3483344, tagged with a CVSS score of 7.7 is an update on a note that was initially released on SAP’s July Patch Day. The Onapsis Research Labs (ORL) detected a Missing Authorization Check vulnerability in SAP Product Design Cost Estimating (SAP PDCE). A remote-enabled function module in SAP PDCE allows a remote attacker to read generic table data and thus poses the system’s confidentiality at high risk. The patch disables the vulnerable function module. In the update note a patch was added for software component SEM-BW 600.
The New High Priority Note
SAP Security Note #3520281, tagged with a CVSS score of 8.8, is the only new High Priority Note in November. The ORL identified a scenario in SAP Web Dispatcher allowing an unauthenticated attacker to publish a malicious link. When an authenticated user with administrative rights clicks on this link, input data will be used by the web site page generation to create content which when executed in the victim’s browser (XSS) or transmitted to another server (SSRF) giving the attacker the ability to execute arbitrary code on the server. This can lead to a full compromise of confidentiality, integrity, and availability. The vulnerability only affects customers who have the Admin UI of SAP Web Dispatcher enabled.
In addition to the final patch, SAP also provides three options for a (temporary) workaround:
- Disabling the Admin UI through file deletion
- Disabling the Admin UI through profile parameter changes
- Remove the administrative role from all users
The options behave differently after applying the permanent patch:
Option | Must be reversed after updating to permanent patch | Must be repeated after updating to a patch level that is lower than the patch level mentioned in the note |
File deletion | No | Yes |
Profile Parameter | Yes | No |
Admin role | No | No |
For further information on prerequisites see the FAQ in SAP Note #3526389.
Onapsis Contribution
Once again, our Onapsis Research Labs (ORL) team contributed to some of the November Security Notes. In addition to the only new High Priority Note #3520281, also two Medium Priority Notes.
SAP Security Note #3504390, tagged with a CVSS score of 5.3, affects SAP NetWeaver Application Server for ABAP and ABAP Platform. The team detected that the kernel is vulnerable to a null pointer dereference that can be triggered by an unauthenticated attacker sending malicious crafted http requests. This results in a reboot of the involved disp+work process and therefore, slightly impacts the availability of the system.
SAP Security Note #3522953, tagged with a CVSS score of 4.7, patches an Information Disclosure vulnerability in the Software Update Manager(SUM) of an SAP NetWeaver Application Server Java. Under certain conditions, version 1.1 of the SUM writes plaintext credentials into a log file. This information can be read by a non-administrative user with local access.
Summary & Conclusions
With only ten Security Notes, SAP’s November Patch Day represents another calm Patch Day. We are happy that the Onapsis Research Labs could once more contribute to increasing the security of SAP applications. SAP customers can expect much more to come from the ORL in the next few months.
SAP Note | Type | Description | Priority | CVSS |
3520281 | New | [CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher BC-CST-WDP | High | 8.8 |
3483344 | Update | [CVE-2024-39592] Missing Authorization check in SAP PDCE FIN-BA | High | 7.7 |
3335394 | New | [CVE-2024-42372] Missing Authorization check in SAP NetWeaver AS Java (System Landscape Directory) BC-CCM-SLD | Medium | 6.5 |
3509619 | New | [CVE-2024-47595] Local Privilege Escalation in SAP Host Agent BC-CCM-HAG | Medium | 6.3 |
3393899 | New | [CVE-2024-47592] Information Disclosure Vulnerability in SAP NetWeaver Application Server Java (Logon Application) BC-JAS-SEC | Medium | 5.3 |
3504390 | New | [CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-ABA-LA | Medium | 5.3 |
3522953 | New | [CVE-2024-47588] Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager) BC-UPG-TLS-TLJ | Medium | 4.7 |
3508947 | New | [CVE-2024-47593] Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-FES-WGU | Medium | 4.3 |
3498470 | New | [CVE-2024-47587] Missing authorization check in SAP Cash Management (Cash Operations) FIN-FSCM-CLM-COP | Low | 3.5 |
3392049 | Update | [CVE-2024-33000] Missing Authorization check in SAP Bank Account Management FIN-FSCM-CLM-BAM | Low | 3.5 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.