SAP Patch Day: August 2024
SAP Build Apps applications affected by known Node.js vulnerability
Highlights of August SAP Security Notes analysis include:
- August Summary — Twenty-five new and updated SAP security patches released, including two HotNews Notes and four High Priority Notes.
- Node.js Vulnerability — Applications built with SAP Build Apps require re-build
- Onapsis Research Labs Contribution — Our team supported SAP in patching seven vulnerabilities covered by six SAP Security Notes and including one High Priority Note.
SAP has released twenty-five SAP Security Notes on its August Patch Day (including the notes that were released or updated since last Patch Tuesday) This includes two HotNews Notes and four High Priority Notes.
SAP Security Note #3423268, tagged with a CVSS score of 7.8, was published on July 23rd. SAP S/4 HANA (Manage Supply Protection) uses the open source library SheetJS which is vulnerable to CVE-2023-30533 in versions lower than 0.19.3. The note provides a patch that includes version 0.20.1 of the affected library. Keeping the application unpatched, poses the confidentiality, the integrity, and the availability of the application at high risk.
High Priority Note #3460407, tagged with a CVSS score of 7.5, patches an Information Disclosure vulnerability in SAP NetWeaver AS Java (Meta Model Repository). The note was initially released in June 2024 and was updated on July 25th. SAP now provides corrections for two additional support package levels (SP022 and SP023) of the vulnerable MMR_SERVER component.
The New HotNews Notes in Detail
SAP Security Note #3479478, tagged with a CVSS score of 9.8, patches a Missing Authentication Check vulnerability in SAP BusinessObjects Business Intelligence. If Single Sign On Enterprise authentication is enabled, an unauthorized user can get a logon token using a REST endpoint. The attacker can fully compromise the system resulting in high impact on confidentiality, integrity and availability.
SAP Security Note #3477196, tagged with a CVSS score of 9.1, affects all applications that were built in SAP Build Apps using a version of the Node.js library that is vulnerable to CVE-2024-29415. SAP recommends to re-build the applications with SAP Build Apps version 4.11.130 or later. Otherwise, affected applications are posed at high risk to confidentiality and integrity.
The New High Priority Notes in Detail
The Onapsis Research Labs (ORL) supported SAP in patching a High Priority vulnerability in SAP BEx Web Java Runtime Export Web Service. The ORL team detected that documents from untrusted sources are validated insufficiently. This allows an attacker to retrieve information from the SAP ADS system and exhaust the number of XMLForm services which makes the SAP ADS rendering (PDF creation) unavailable. SAP Security Note #3485284, tagged with a CVSS score of 8.2, provides a patch for SAP NW 7.50 BI JAVA that includes an updated XML parser.
SAP Security Note #3459935, tagged with a CVSS score of 7.4, addresses a set of vulnerable OCC API endpoints in SAP Commerce Cloud.They allow Personally Identifiable Information (PII) data, such as passwords, email addresses, mobile numbers, coupon codes, and voucher codes, to be included in the request URL as query or path parameters. Since URL parameters are exposed in request logs, transmitting such confidential data through query parameters and path parameters is vulnerable to data leakage.
The note provides separate lists for endpoints including PII data as query parameters or as path parameters.
There is a workaround available for endpoints of the first list. The client-side code that consumes the affected OCC API endpoints must be adjusted. The confidential data can be passed through request body parameters instead of using URL query parameters.
But since this option is only available for one group of the affected endpoints and since workarounds should always be considered a temporary solution, customers should apply the corresponding patch as soon as possible. The patch provides new variants of all the affected endpoints that always pass the PII data through request body parameters. The old vulnerable endpoints are deprecated.
After applying the patch, all clients should be adjusted to consume the new, secure variants of the affected OCC API endpoints rather than the old, vulnerable ones.
Onapsis Contribution
The ORL team supported SAP in patching seven vulnerabilities on August Patch Day, covered by six SAP Security Notes, including High Priority Note #3485284.
SAP Security Note #3474590, tagged with a CVSS score of 6.5, patches two Missing Authorization Check vulnerabilities in SAP Shared Service Framework that are tracked under CVE-2024-42376 and CVE-2024-42377. Two remote-enabled function modules of the framework are suffering from missing authorization checks. This can lead to an escalation of privileges or an unauthorized maintenance of non-sensitive table data resulting in high impact on confidentiality and low impact on the integrity of the application.
SAP Security Note #3487537, tagged with a CVSS score of 5.0, patches a Server-Side Request Forgery vulnerability in SAP CRM ABAP (Insights Management). The vulnerability allows an authenticated attacker to enumerate HTTP endpoints in the internal network by specially crafting HTTP requests resulting in information disclosure. The patch deactivates the affected ABAP code but additionally recommends deactivating the corresponding service manually. The latter can also be used as a temporary workaround until the patch can be implemented.
SAP Security Note #3468102, tagged with a CVSS score of 4.7, describes an Improper Access Control vulnerability in SAP Netweaver Application Server ABAP. The ORL team was able to inject CSS code and links into a web application by acting as an unauthenticated attacker sending crafted URL requests. The patch includes an improved allowlist check that properly distinguishes between relative and absolute URLs.
A Missing Authorization Check vulnerability in SAP Student LifeCycle Management (SLcM) is patched with SAP Security Note #3479293, tagged with a CVSS score of 4.3. On successful exploitation, non-sensitive report variants could be deleted leading to low impact on the application’s integrity. As one part of the solution, SAP has implemented a switchable authorization check into the affected RFC-enabled function module. The check only becomes active for external calls of the function module.
Another Missing Authorization Check vulnerability was patched with SAP Security Note #3477423, tagged with a CVSS score of 4.3. The vulnerability affects SAP Document Builder and is patched through adding an additional authorization check to the corresponding remote-enabled function module.
Summary & Conclusions
With twenty-five Security Notes, SAP’s August Patch Day is above average. Special attention is required for SAP Security Note #3477196 because it might need some effort depending on the number of affected apps. The Onapsis Research Labs could once more support SAP in patching one High Priority vulnerability and six Medium Priority vulnerabilities.
SAP Note | Type | Description | Priority | CVSS |
3479478 | New | [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform BI-BIP-INV | HotNews | 9,8 |
3477196 | New | [CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps CA-LCA-ACP | HotNews | 9,1 |
3485284 | New | [CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service BW-BEX-ET-WJR-EXP | High | 8,2 |
3423268 | New | [CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) CA-ATP-SUP-2CL | High | 7,8 |
3460407 | Update | [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) BC-DWB-JAV-MMR | High | 7,5 |
3459935 | New | [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud CEC-COM-CPS-COR | High | 7,4 |
3466801 | Update | [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management BC-VCM-LVM | Medium | 6,9 |
3459379 | Update | [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) CA-GTF-DOB | Medium | 6,5 |
3495876 | New | [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) BC-SYB-REP | Medium | 6,5 |
3474590 | New | [CVE-2024-42376] Multiple Missing Authorization Check vulnerabilities in SAP Shared Service Framework CA-EPT-SSC | Medium | 6,5 |
3438085 | New | [CVE-2024-33005] Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java),SAP Web Dispatcher and SAP Content Server. BC-CST-IC | Medium | 6,3 |
3482217 | Update | [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse – Business Planning and Simulation BW-PLA-BPS | Medium | 6,1 |
3465455 | Update | [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP BW4-DM-TRFN | Medium | 5,5 |
3483256 | New | [CVE-2024-41735] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice CEC-SCC-CDM-BO-FRW | Medium | 5,4 |
3471450 | New | [CVE-2024-41733] Information Disclosure Vulnerability in SAP Commerce CEC-SCC-COM-BC-BCOM | Medium | 5,3 |
3458789 | Update | [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) BC-BMT-WFM | Medium | 5,0 |
3487537 | New | [CVE-2024-41737] Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management) CRM-MKT | Medium | 5,0 |
3468102 | New | [CVE-2024-41732] Improper Access Control in SAP Netweaver Application Server ABAP BC-FES-BUS-RUN | Medium | 4,7 |
3150704 | Update | [CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks) FIN-FSCM-CLM-BAM | Medium | 4,5 |
3479293 | New | [CVE-2024-42373] Missing Authorization Check in SAP Student LifeCycle Management (SLcM) IS-HER-CM-AD | Medium | 4,3 |
3475427 | New | [CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work PM-FIO-WCM | Medium | 4,3 |
3433545 | New | [CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform BI-BIP-INV | Medium | 4,3 |
3477423 | New | [CVE-2024-39591] Missing Authorization check in SAP Document Builder CA-GTF-DOB | Medium | 4,3 |
3494349 | New | [CVE-2024-41734] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform BC-SRV-LIM | Medium | 4,3 |
3454858 | Update | [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-SRV-DX-DXW | Medium | 4,1 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.