SAP Patch Day: June 2024
High Priority Notes for SAP NetWeaver AS Java and SAP Financial Consolidation
Author: Thomas Fritsch
Highlights of June SAP Security Notes analysis include:
- June Summary — Twelve new and updated SAP security patches released, including two High Priority Notes
- SAP High Priority Notes — SAP NetWeaver AS Java and SAP Financial Consolidation affected
- Onapsis Research Labs Contribution — Our team supported SAP in patching 50% of all new SAP Security Notes in June
SAP has published twelve new and updated SAP Security Notes in its June Patch Day, including two High Priority Notes. Five of the ten new Security Notes were published in contribution with the Onapsis Research Labs.
The High Priority Notes in Detail
SAP Security Note #3457592, tagged with a CVSS score of 8.1, is the note with the highest CVSS score in June. It patches two Cross-Site Scripting vulnerabilities in SAP Financial Consolidation. The more critical one allows data to enter a web application through an untrusted source and manipulating web site content. This causes a high impact on the confidentiality and integrity of the application.
SAP Security Note #3460407 is the second High Priority Note in June. Tagged with a CVSS score of 7.5, it is rated slightly lower than #3457592. However, targeting SAP NetWeaver AS Java, it is most likely that more SAP customers and systems are affected by this note. The note patches a Denial of Service vulnerability in the Meta Model Repository services. Accessing these services was not restricted and allowed attackers to perform DoS attacks on the application, preventing legitimate users from using the application.
Onapsis Contribution
Our Onapsis Research Labs (ORL) team is continuously growing and our new team members from Romania could already significantly contribute to some of the June Security Notes.
SAP Security Note #3453170, tagged with a CVSS score of 6.5, patches a Denial of Service vulnerability in SAP NetWeaver AS ABAP and ABAP platform. An RFC-enabled function module of the Early Watch Alert Reporting measures the CPU time of a reference process and the number of repetitions could be controlled by an input parameter. Since the value was not restricted, an attacker could call the function module with a very high value for this parameter. Calling the function module several times in parallel could lead to completely blocking all work processes and thus making the system unavailable.
SAP Security Note #3459379, also tagged with a CVSS score of 6.5, describes an Unrestricted File Upload vulnerability in the HTTP service of SAP Document Builder. The service allowed users to upload file attachments without virus scanning. After applying the patch it is strongly recommended to additionally check the system’s virus scan profile settings. Information on how to check these settings can be found in the Manual Activities section of the note.
SAP Security Note #3465129, tagged with a CVSS score of 6.1, patches a Cross-Site Scripting vulnerability in SAP CRM. The ORL detected that insufficient input validation in the WebClient UI allowed an attacker to embed a malicious script into a link. When a victim clicks on this link, the script will be executed in the victim’s browser giving the attacker the ability to access and/or modify information causing impact on the application’s confidentiality and integrity. Customers are only affected by this vulnerability if they have applied SAP Note #3328365 before or if they are on the equivalent Support Package level of this SAP Note..
The ORL team furthermore detected a Missing Authorization Check vulnerability in a remote-enabled function module of SAP Student Life Cycle Management (SLcM). On successful exploitation, attackers could access and edit non-sensitive report variants that are typically restricted. SAP Security Note #3457265, tagged with a CVSS score of 5.4, patches the issue. A switchable authorization check was added to the vulnerable function module in case of an external call.
SAP Security Note #3425571, tagged with a CVSS score of 5.3, patches an Information Disclosure vulnerability in the Guided Procedures component of an SAP NetWeaver AS Java.The vulnerability is tracked under CVE-2024-28164 and allowed an unauthenticated user to access non-sensitive information about the server which would otherwise be restricted.
Summary & Conclusions
With only twelve Security Notes, SAP’s June Patch Day represents another calm Patch Day. We are happy that the Onapsis Research Labs could once more significantly contribute to increasing the security of SAP applications. SAP customers can expect much more to come from the ORL in the next few months.
| SAP Note | Type | Description | Priority | CVSS |
| 3457592 | New | [CVE-2024-37177] Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation EPM-BFC-TCL | High | 8,1 |
| 3460407 | New | [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) BC-DWB-JAV-MMR | High | 7,5 |
| 3453170 | New | [CVE-2024-33001] Denial of service (DOS) in SAP NetWeaver and ABAP platform SV-SMG-SDD | Medium | 6,5 |
| 3459379 | New | [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) CA-GTF-DOB | Medium | 6,5 |
| 3466175 | New | [CVE-2024-34691] Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files) FI-FIO-AR-PAY | Medium | 6,5 |
| 3465129 | New | [CVE-2024-34686] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) CA-WUI-UI | Medium | 6,1 |
| 3450286 | Update | [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform BC-MID-AC | Medium | 6,1 |
| 3465455 | New | [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP BW4-DM-TRFN | Medium | 5,5 |
| 3457265 | New | [CVE-2024-34690] Missing Authorization check in SAP Student Life Cycle Management (SLcM) IS-HER-CM-AD | Medium | 5,4 |
| 3425571 | New | [CVE-2024-28164] Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures) BC-GP | Medium | 5,3 |
| 2638217 | Update | Switchable Authorization Checks in Central Finance Infrastructure Components FI-CF-INF | Low | 3,9 |
| 3441817 | New | [CVE-2024-34684] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling) BI-BIP-PUB | Low | 3,7 |
As always, the Onapsis Research Labs is already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Onapsis Newsletter.