SAP Patch Day: November 2024
Critical Patch for SAP Web Dispatcher
Author: Thomas Fritsch
Highlights of November SAP Security Notes analysis include:
SAP has published ten new and updated SAP Security Notes in its November Patch Day, including two High Priority Notes. Three Security Notes were published with contributions from the Onapsis Research Labs.
HighPriority SAP Security Note #3483344, tagged with a CVSS score of 7.7 is an update on a note that was initially released on SAP’s July Patch Day. The Onapsis Research Labs (ORL) detected a Missing Authorization Check vulnerability in SAP Product Design Cost Estimating (SAP PDCE). A remote-enabled function module in SAP PDCE allows a remote attacker to read generic table data and thus poses the system’s confidentiality at high risk. The patch disables the vulnerable function module. In the update note a patch was added for software component SEM-BW 600.
The New High Priority Note in Detail
SAP Security Note #3520281, tagged with a CVSS score of 8.8, is the only new High Priority Note in November. The ORL identified a scenario in SAP Web Dispatcher allowing an unauthenticated attacker to publish a malicious link. When an authenticated user with administrative rights clicks on this link, input data will be used by the web site page generation to create content which when executed in the victim's browser (XXS) or transmitted to another server (SSRF) giving the attacker the ability to execute arbitrary code on the server. This can lead to a full compromise of confidentiality, integrity, and availability. The vulnerability only affects customers who have the Admin UI of SAP Web Dispatcher enabled. In addition to the final patch, SAP also provides three options for a (temporary) workaround:
For further information on prerequisites see the FAQ in SAP Note #3526389.
Onapsis Contribution
Once again, our Onapsis Research Labs (ORL) team contributed to some of the November Security Notes. In addition to the only new High Priority Note #3520281, also two Medium Priority Notes.
SAP Security Note #3504390, tagged with a CVSS score of 5.3, affects SAP NetWeaver Application Server for ABAP and ABAP Platform. The team detected that the kernel is vulnerable to a null pointer dereference that can be triggered by an unauthenticated attacker sending malicious crafted http requests. This results in a reboot of the involved disp+work process and therefore, slightly impacts the availability of the system.?
SAP Security Note #3522953, tagged with a CVSS score of 4.7, patches an Information Disclosure vulnerability in the Software Update Manager(SUM) of an SAP NetWeaver Application Server Java. Under certain conditions, version 1.1 of the SUM writes plaintext credentials into a log file. This information can be read by a non-administrative user with local access.
Summary & Conclusions
With only ten Security Notes, SAP’s November Patch Day represents another calm Patch Day. We are happy that the Onapsis Research Labs could once more contribute to increasing the security of SAP applications. SAP customers can expect much more to come from the ORL in the next few months.?
As always, the Onapsis Research Labs are already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.
For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, watch our monthly Defenders Digest or subscribe to The Defenders Monthly on LinkedIn.