SAP Patch Day: July 2024
High Priority Patches for SAP PDCE and SAP Commerce
Author: Thomas Fritsch
Highlights of July SAP Security Notes analysis include:
- July Summary — Eighteen new and updated SAP security patches released, including two High Priority Notes.
- SAP Business Workflow (WebFlow Services) — Patching a Server-Side Request Forgery vulnerability requires implementing three SAP Security Notes.
- Onapsis Research Labs Contribution — Our team supported SAP in patching twelve vulnerabilities covered by ten SAP Security Notes.
SAP has released eighteen SAP Security Notes on its July Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes two High Priority Notes.
The New High Priority Notes in Detail for SAP Patch Day July 2024
SAP Security Note #3483344, tagged with a CVSS score of 7.7, is the most critical patch of today’s July Patch Day, based on CVSS rating. The Onapsis Research Labs (ORL) detected a Missing Authorization Check vulnerability in SAP Product Design Cost Estimating (SAP PDCE) which is based on the SAP Strategic Enterprise Management (SEM). A remote-enabled function module in SAP PDCE allows a remote attacker to read generic table data and thus poses the system’s confidentiality at high risk. The patch disables the vulnerable function module.
SAP Security Note #3490515, tagged with a CVSS score of 7.2, addresses an Improper Authorization Check vulnerability in SAP Commerce (On Premise and Public Cloud). An attacker can misuse the forgotten password functionality to gain access to a site for which early login and registration is activated, without requiring the merchant to approve the account beforehand. If the site is not configured as an isolated site, this can also grant access to other non-isolated early login sites, even if registration is not enabled for those other sites. SAP rates the possible impact of this vulnerability on the application’s Confidentiality and Integrity with Low and sees no impact on its availability. As a temporary workaround, SAP recommends disabling registration for affected isolated Composable Storefront B2B sites and for all non-isolated Composable Storefront B2B sites if Early Login is enabled on at least one of these non-isolated sites.
Onapsis Contribution to SAP Patch Day July 2024
Once more, the Onapsis Research Labs (ORL) could significantly contribute to SAP’s Patch Day. The team supported SAP in patching twelve vulnerabilities, covered by 10 SAP Security Notes.
Several Cross-Site Scripting (XSS) vulnerabilities were detected by the ORL in:
- SAP Business Warehouse (SAP BW) (SAP Security Note #3482217)
- SAP NetWeaver Knowledge Management (SAP Security Note #3468681)
- SAP CRM (WebClient UI) (SAP Security Note #3467377)
SAP Security Note #3482217 patches a Reflected XSS vulnerability(CVSS score 6.1) and a Stored XSS vulnerability (CVSS score 5.4) in SAP BW Business Planning and Simulation. They both have a low impact on the application’s confidentiality and integrity and no impact on its availability.
SAP Security Note #3468681, tagged with a CVSS score of 6.1, targets the XMLEditor in SAP NetWeaver Knowledge Management. Due to insufficient encoding of user-controlled input, the XMLEditor allows malicious scripts to be executed in the application.
SAP Security Note #3467377 is a collective note for SAP CRM (WebClient UI), patching four vulnerabilities in total. Beside two Reflected XSS vulnerabilities, both tagged with a CVSS score of 6.1, it also fixes a Server-Side Request Forgery vulnerability (CVSS score 5.0) and a Missing Authorization Check vulnerability (CVSS score 4.3).
The ORL also detected a Server-Side Request Forgery vulnerability in SAP Business Workflow (WebFlow Services), tagged with a CVSS score of 5.0. It allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests.
After implementing the patch, Callback-URLs of WebFlow Services can be checked against an allowlist, so that only explicitly allowed URLs are processed.
The patch includes three SAP Security Notes in total that must be applied in the following sequence:
- SAP Security Note #3483993: This note is a prerequisite note for SAP Security Note #3458789. It contains the report NOTE_3483993 that must be executed to generate some objects required to successfully implement #3458789 in step 2.
- SAP Security Note #3458789: This note implements the allowlist for Callback-URLs of WebFlow Services.
- SAP Security Note #3485805: This note explains how to configure and activate the allowlist for Callback-URLs of WebFlow Services.
Another Server-Side Request Forgery vulnerability was detected by the ORL in SAP Transportation Management (Collaboration Portal). It is patched with SAP Security Note #3469958, tagged with a CVSS score of 5.0. SAP has hardened the responsible service handler to not accept any untrusted input. Unpatched, attackers with non-administrative privileges can send a crafted request from a vulnerable web application. This will trigger the vulnerable application handler to send a request to an unintended service, which may reveal information about that service.
The ORL also detected that a central method of SAP’s malware scanner API could be called so that virus scanning is bypassed. An attacker could misuse this option to bypass virus scanning unnoticed by established quality and security gates. An oblivious developer could also open a backdoor without noticing. The issue is patched with SAP Security Note #3456952, tagged with a CVS score of 4.7. When considering the potential impacts of introducing viruses into an SAP landscape, the assigned CVSS score might not fully capture the worst-case scenario.
An Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform is patched with SAP Security Note #3454858, tagged with a CVSS score of 4.1. A remote-enabled function module that should only allow access to directories of the DX Workbench allows accessing arbitrary other system directories (directory traversal). The patch solves the issue by only allowing files and directories for which a logical file and path definition exists in transaction FILE.
SAP Patch Day Summary & Conclusions
With eighteen Security Notes, SAP’s July Patch Day is another average one. With no HotNews Note and only two High Priority Notes, it can even be considered a calm one. The Onapsis Research Labs could once more support SAP in patching twelve vulnerabilities of this Patch Day.
| SAP Note | Type | Description | Priority | CVSS |
| 3483344 | New | [CVE-2024-39592] Missing Authorization check in SAP PDCE FIN-BA | High | 7,7 |
| 3490515 | New | [CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce CEC-SCC-COM-BC-CS | High | 7,2 |
| 3466801 | New | [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management BC-VCM-LVM | Medium | 6,9 |
| 3459379 | Update | [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) CA-GTF-DOB | Medium | 6,5 |
| 3467377 | New | [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI) CA-WUI-UI | Medium | 6,1 |
| 3482217 | New | [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse – Business Planning and Simulation BW-PLA-BPS | Medium | 6,1 |
| 3468681 | New | [CVE-2024-34685] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor EP-PIN-WPC-WCM | Medium | 6,1 |
| 3457354 | New | [CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management) FIN-FSCM-PF-IHB | Medium | 5,4 |
| 3461110 | New | [CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for Windows BC-FES-GUI | Medium | 5,0 |
| 3469958 | New | [CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal) TM-CP | Medium | 5,0 |
| 3485805 | New | [CVE-2024-34689] Allowlisting of callback-URLs in SAP Business Workflow (WebFlow Services) BC-BMT-WFM | Medium | 5,0 |
| 3483993 | New | [CVE-2024-34689] Prerequisite for Security Note 3458789 BC-BMT-WFM | Medium | 5,0 |
| 3458789 | New | [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) BC-BMT-WFM | Medium | 5,0 |
| 3456952 | New | [CVE-2024-39599] Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-MID-ICF | Medium | 4,7 |
| 3476348 | New | [CVE-2024-39596] Missing Authorization check vulnerability in SAP Enable Now KM-SEN-MGR | Medium | 4,3 |
| 3101986 | Update | Prepare CSP support for On-Premise down port for code dependency in SAP CRM WebClient UI CA-WUI-UI | Medium | 4,1 |
| 3454858 | New | [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-SRV-DX-DXW | Medium | 4,1 |
| 3476340 | New | [CVE-2024-34692] Unrestricted File upload vulnerability in SAP Enable Now KM-SEN-MGR | Low | 3,3 |
SAP Patch Day July 2024 Table Summary
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, watch our monthly Defenders Digest.