SAP Patch Day: April 2024
Missing Password Requirements Check in SAP NetWeaver AS Java UME poses Confidentiality at High Risk
Author: Thomas Fritsch
Highlights of April SAP Security Notes analysis include:
- April Summary – Twelve new and updated SAP security patches released, including three High Priority Notes
- SAP NetWeaver AS Java UME – Password requirements are not checked in some features
- Onapsis Research Labs Contribution – Our team supported SAP in patching a Server-Side Request Forgery in SAP NetWeaver AS Java
SAP has published twelve new and updated Security Notes in its April Patch Day. This includes three High Priority Notes.
The HighPriority Notes in Detail
SAP Security Note #3434839, tagged with a CVSS score of 8.8, patches a Security Misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine (UME). The ‘Self-Registration’ and ‘Modify your own profile’ features of the UME do not consider existing password requirements and therefore, allow using simple passwords that can be easily cracked. The two features are optional and disabled by default but can be individually enabled and configured by each customer. The title of the assigned vulnerability seems to be a little bit misleading since the vulnerability is not caused by a configuration issue but by a missing check in the program logic. Onapsis recommends implementing the note independently of whether one or both features are enabled or not. This ensures security once you decide to enable one of the features. Keeping the vulnerability unpatched can lead to high impact on the system’s confidentiality and low impact on integrity and availability.
SAP Security Note #3421384, tagged with a CVSS score of 7.7, describes and solves an Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence. The Excel Data Access Service suffers from insufficient validation checks while uploading excel files resulting in potentially malicious data being read. An exploit can have a high impact on the system’s confidentiality.
The third High Priority Note is SAP Security Note #3438234, tagged with a CVSS score of 7.2. The note patches a Directory Traversal vulnerability in two programs of SAP Asset Accounting. While the program RAALTE00 is just disabled by the patch, a verification of path information against logical file names is added to the second vulnerable report RAALTD01.
Contribution of the Onapsis Research Labs
The Onapsis Research Labs(ORL) supported SAP in patching a Server-Side Request Forgery vulnerability in the application tc~esi~esp~grmg~wshealthcheck~ear application of an SAP NetWeaver AS Java. The vulnerability, described in SAP Security Note #3425188 and tagged with a CVSS score of 5.3, can cause a low impact on the application’s confidentiality. The ORL detected that the application suffers from insufficient input validation allowing an unauthenticated attacker to send crafted requests from a vulnerable web application targeting internal systems behind firewalls that are normally inaccessible from the external network.
Summary and Conclusion
With only twelve SAP Security Notes, including three High Priority Notes, SAP’s April Patch Day belongs to the category of ‘calmer’ Patch Days. This is a perfect opportunity to check for any SAP Security Note of the last SAP Patch Days whose implementation is still pending.
| SAP Note | Type | Description | Priority | CVSS |
| 3434839 | New | [CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine BC-JAS-SEC-UME | High | 8,8 |
| 3421384 | New | [CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence BI-RA-WBI | High | 7,7 |
| 3438234 | New | [CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting FI-AA-AA-A | High | 7,2 |
| 3442741 | New | Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL) LOD-HCI-PI-OP-NM | Medium | 6,8 |
| 3442378 | New | [CVE-2024-28167] Missing Authorization check in SAP Group Reporting Data Collection (Enter Package Data) FIN-CS-CDC-DC | Medium | 6,5 |
| 3359778 | New | [CVE-2024-30218] Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform BC-CST-DP | Medium | 6,5 |
| 3164677 | Update | [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) PA-FIO-LEA | Medium | 6,5 |
| 3156972 | Update | [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search) MM-FIO-PUR-REQ-SSP | Medium | 6,1 |
| 3425188 | New | [CVE-2024-27898] Server-Side Request Forgery in SAP NetWeaver (tc~esi~esp~grmg~wshealthcheck~ear) BC-ESI-WS-JAV-RT | Medium | 5,3 |
| 3421453 | New | [Multiple CVEs] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Connector BC-MID-BUS | Medium | 4,8 |
| 3430173 | New | [CVE-2024-30217] Missing Authorization check in SAP S/4 HANA (Cash Management) FIN-FSCM-CLM-BAM | Medium | 4,3 |
| 3427178 | New | [CVE-2024-30216] Missing Authorization check in SAP S/4 HANA (Cash Management) FIN-FSCM-CLM-BAM | Medium | 4,3 |
Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance, ensuring customers can stay ahead of ever-evolving threats and protect their businesses.
For more information about the latest SAP Patch Day, SAP security, and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Newsletter.