SAP Patch Day: September 2024
SAP Build Apps applications affected by known Node.js vulnerability
Highlights of September SAP Security Notes analysis include:
- September Summary — Nineteen new and updated SAP security patches released, including updates to one HotNews Note and one High Priority Note
- Updated Notes — Review of updated notes strongly recommended
- Onapsis Research Labs Contribution — Our team supported SAP in patching twelve vulnerabilities covered by seven SAP Security Notes
SAP has published nineteen new and updated SAP Security Notes in its September Patch Day, including updates to one HotNews Note and one High Priority Note.
HotNews Note #3479478, tagged with a CVSS score of 9.8, was initially released on SAP’s August Patch Day and patches a Missing Authentication Check vulnerability in SAP BusinessObjects Business Intelligence Platform. The updated note provides workaround instructions for customers who can’t apply the patch immediately. In addition, the validity of the note was extended to release 420 of the Enterprise software component.
High Priority Note #3459935, tagged with a CVSS score of 7.4, patches an Information Disclosure vulnerability in SAP Commerce Cloud. Customers who already applied the patch after its initial release in August should review the note since SAP has updated the fixing version from SAP Commerce Cloud Update Release 2211.27 to SAP Commerce Cloud Update Release 2211.28.
Onapsis Contribution
Once more, the Onapsis Research Labs (ORL) significantly contributed to SAP’s Patch Day. The team supported SAP in patching twelve vulnerabilities, covered by seven SAP Security Notes.
SAP Security Notes #3497347 and #3501359, both tagged with a CVSS score of 6.1, patch Cross-Site Scripting vulnerabilities in eProcurement on S/4HANA and CRM Blueprint Application Builder Panel. Weak encoding and insufficient validation of user-controlled input allow attackers to inject malicious scripts that are executed by unsuspecting users. This gives attackers the ability to access and/or modify information with low impact on confidentiality and integrity.
SAP Security Note #3488341, tagged with a CVSS score of 6.5, patches a Missing Authorization Check vulnerability in SAP Production and Revenue Accounting. A remote-enabled function module of an obsolete application interface allows generic reading of arbitrary table data. SAP has patched the issue by adding an appropriate authorization check. Keeping the function module unpatched could lead to disclosure of highly sensitive data.
SAP Security Note #3488039, tagged with a CVSS score of 5.4, patches six Missing Authorization Check vulnerabilities in various RFC-enabled function modules that can be used to alter the Easy Access menu of legitimate users in a malicious way. Most of the vulnerabilities have a low impact on the integrity and availability of the application. Only one vulnerability affects confidentiality. Nevertheless, one of the vulnerabilities, tracked under CVE-2024-45285, allows a low privileged attacker to send a crafted packet in the vulnerable function module targeting a specific user. This user will no longer have access to any functionality of SAP GUI and will thus experience a total loss of application availability. All vulnerable function modules have been patched by no longer allowing external access.
SAP Security Note #3505293, tagged with a CVSS score of 4.3, patches a Missing Authorization Check vulnerability in SAP for Oil & Gas. Due to the missing authorization check, an attacker with non-administrative user privileges could call a remote-enabled function module which will allow them to delete entries in a user data table. The patch adds an appropriate authorization check.
SAP Security Notes #3481588 and #3481992, both tagged with a CVSS score of 4.3, patch two Information Disclosure vulnerabilities in SAP BW (BEx Analyzer). Due to missing authorization checks, they allow an authenticated attacker to access information over the network which is otherwise restricted.
Summary & Conclusions
With no new HotNews and no new High Priority Notes, SAP’s September Patch Day represents another calm Patch Day. A significant number of the SAP Security Notes patches are Missing Authorization Check vulnerabilities in RFC-enabled function modules. It is with great pleasure that the Onapsis Research Labs have been able to contribute to the identification of a significant number of vulnerabilities.
| SAP Note | Type | Description | Priority | CVSS |
| 3479478 | Update | [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform BI-BIP-INV | HotNews | 9.8 |
| 3459935 | Update | [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud CEC-COM-CPS-COR | High | 7.4 |
| 3488341 | New | [CVE-2024-45286] Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface) IS-OIL-PRA-REV-OW | Medium | 6.5 |
| 3495876 | Update | [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) BC-SYB-REP | Medium | 6.5 |
| 3501359 | New | [CVE-2024-45279] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP(CRM Blueprint Application Builder Panel) CA-GTF-PCF | Medium | 6.1 |
| 3497347 | New | [CVE-2024-42378] Cross-Site Scripting (XSS) in eProcurement on S/4HANA MM-PUR-SSP | Medium | 6.1 |
| 3477359 | New | [CVE-2024-45283] Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service) BC-JAS-SEC-DST | Medium | 6.0 |
| 3430336 | New | [CVE-2013-3587] Information Disclosure vulnerability in SAP Commerce Cloud CEC-SCC-PLA-PL | Medium | 5.9 |
| 3425287 | New | [CVE-2024-45281] DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform BI-RA-WBI-BE | Medium | 5.8 |
| 3488039 | New | [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-DWB-SEM | Medium | 5.4 |
| 3505503 | New | [CVE-2024-45280] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application) BC-JAS-SEC-LGN | Medium | 4.8 |
| 3498221 | New | [CVE-2024-44120] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal BC-PIN-PCD | Medium | 4.7 |
| 3505293 | New | [CVE-2024-44112] Missing Authorization check in SAP for Oil & Gas (Transportation and Distribution) IS-OIL-DS-TD | Medium | 4.3 |
| 3481992 | New | [CVE-2024-44113] Information Disclosure vulnerability in the SAP Business Warehouse (BEx Analyzer) BW-BEX-ET-WB-7X | Medium | 4.3 |
| 3481588 | New | [CVE-2024-41729] Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer) BW-BEX-ET-WB-7X | Medium | 4.3 |
| 3437585 | New | [CVE-2024-44121] Information Disclosure in SAP S/4 HANA (Statutory Reports) FI-LOC-SRF-RUN | Medium | 4.3 |
| 2256627 | New | [CVE-2024-45284] Missing authorization check in SAP Student Life Cycle Management (SLcM) IS-HER-CM | Low | 2.7 |
| 3496410 | New | [CVE-2024-41728] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-DWB-TOO-ABA | Low | 2.7 |
| 3507252 | New | [CVE-2024-44114] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform BC-ABA-LA | Low | 2.0 |
As always, the Onapsis Research Labs are already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our Defenders Digest Newsletter.