SAP Patch Day: March 2024
Critical Code Injection Vulnerability in SAP NetWeaver AS Java
Highlights of March SAP Security Notes analysis include:
- March Summary —Twelve new and updated SAP security patches released, including three HotNews Notes and three High Priority Notes.
- SAP NetWeaver AS Java in Focus — One critical Code Injection vulnerability and three Information Disclosure vulnerabilities in different applications and components.
- Onapsis Research Labs Contribution — Our team supported SAP in patching these three Information Disclosure vulnerabilities.
SAP has published twelve new and updated Security Notes on its March Patch Day (including the notes that were released or updated since last Patch Tuesday) This includes three HotNews Notes and three High Priority Notes.
Updated Notes in Detail
One of the three HotNews Notes is the regularly recurring SAP Security Note #2622660 that provides an update for SAP Business Client including the latest supported Chromium patches. SAP Business Client now supports Chromium version 121.0.6167.184 which fixes twenty-nine vulnerabilities in total including two Critical and fifteen High Priority vulnerabilities. The maximum CVSS value of all fixed vulnerabilities is 9.8.
High Priority Note #3346500, tagged with a CVSS score of 8.8, is an updated SAP Security Note patching an Improper Authentication vulnerability in SAP Commerce Cloud. The vulnerability allows users to log into the system without a passphrase. SAP Commerce Cloud Customers should review the note since SAP has updated the versions on the fixing SAP Commerce Cloud Builds.
The New HotNews Notes in Detail
SAP Security Note #3425274, tagged with a CVSS score of 9.4, affects all applications built with SAP Build Apps versions lower than 4.9.145. These versions include a vulnerable version of the lodash utility library allowing an attacker to run unauthorized commands on the system, which may lead to a low impact on the confidentiality and cause high impact on the integrity and availability of the application. The problem can be solved by re-building all affected applications with SAP Build Apps version 4.9.145 or later.
SAP Security Note #3433192, tagged with a CVSS score of 9.1, patches a critical Code Injection vulnerability in the Administrator Log Viewer plug-in of SAP NetWeaver AS Java. The list of prohibited file types defined for the upload functionality of the plug-in is incomplete. An attacker could upload malicious files leading to a command injection vulnerability. This would enable the attacker to run commands which can cause high impact on confidentiality, integrity and availability of the application. The patch provides an extended list of prohibited file types. As an additional security measure, SAP recommends activating virus scanning for the upload.
The new High Priority SAP Security Notes
SAP Security Note #3410615, tagged with a CVSS score of 7.5, addresses a Denial of Service vulnerability in SAP HANA XS Classic and HANA XS Advanced. The note extends to a series of SAP Security Notes that were released during the last few months and that are all related to the usage of the HTTP/2 protocol in SAP Web Dispatcher. The new SAP Security Note patches a Denial of Service vulnerability that exists in conjunction with using HTTP/2. As a temporary workaround, HTTP/2 can be disabled.
SAP Security Note #3414195, tagged with a CVSS score of 7.2, patches a Path Traversal vulnerability in SAP BusinessObjects Business Intelligence Platform. The Central Management Console of the platform uses a vulnerable version of Apache Struts allowing high privileged users to generate a high impact on confidentiality, integrity and availability of the application.
Contribution of the Onapsis Research Labs
The Onapsis Research Labs(ORL) supported SAP in patching three Information Disclosure vulnerabilities in different applications and components of SAP NetWeaver AS Java, all tagged with a CVSS score of 5.3.
SAP Security Note #3425682 patches an Information Disclosure vulnerability in Web Service Reliable Messaging (WSRM) of SAP NetWeaver AS Java. The WSRM can be enabled for individual web service methods to ensure that message exchange is performed correctly – without messages getting lost or being duplicated. It ensures a reliable exchange of messages even when the connection to the network is lost. Under certain conditions SAP NetWeaver WSRM allows an attacker to access information which would otherwise be restricted, causing low impact on Confidentiality with no impact on Integrity and Availability of the application.
Similar vulnerabilities, tagged with exactly the same CVSS vector, are patched for SAP NetWeaver Process Integration (Support Web Pages) with SAP Security Note #3434192 and SAP NetWeaver (Enterprise Portal) with SAP Security Note #3428847.
Summary and Conclusion
With twelve new and updated SAP Security Notes in total SAP’s March Patch Day is below average, It should be noted however, three HotNews Notes and three High Priority Notes require special attention, including the two that were only updated.
| SAP Note | Type | Description | Priority | CVSS |
| 3433192 | New | [CVE-2024-22127] Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in) BC-JAS-ADM-LOG | HotNews | 9,1 |
| 3417399 | New | [CVE-2024-22133] Improper Access Control in SAP Fiori Front End Server PA-FIO-LEA | Medium | 4,6 |
| 3377979 | New | [CVE-2024-27902] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP, applications based on SAPGUI for HTML (WebGUI) BC-FES-WGU | Medium | 5,4 |
| 3434192 | New | [CVE-2024-28163] Information Disclosure vulnerability in SAP NetWeaver Process Integration (Support Web Pages) BC-XI-IBF-UI | Medium | 5,3 |
| 3425274 | New | [CVE-2019-10744] Code Injection vulnerability in applications built with SAP Build Apps CA-LCA-ACP | HotNews | 9,4 |
| 3425682 | New | [CVE-2024-25644] Information Disclosure vulnerability in SAP NetWeaver (WSRM) BC-ESI-WS-JAV-RT | Medium | 5,3 |
| 3428847 | New | [CVE-2024-25645] Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal) EP-PIN-APF-OPR | Medium | 5,3 |
| 3414195 | New | [CVE-2023-50164] Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console) BI-BIP-CMC | High | 7,2 |
| 3410615 | New | [CVE-2023-44487 ] Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced HAN-AS-XS | High | 7,5 |
| 2622660 | Update | Security updates for the browser control Google Chromium delivered with SAP Business Client BC-FES-BUS-DSK | HotNews | 10,0 |
| 3419022 | New | [CVE-2024-27900]Missing Authorization check in SAP ABAP Platform BC-SRV-APS-APJ | Medium | 4,3 |
| 3346500 | Update | [CVE-2023-39439] Improper authentication in SAP Commerce Cloud CEC-SCC-PLA-PL | High | 8,8 |
Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, check out our previous Patch Day blogs and subscribe to our monthly Defenders Digest Newsletter.