SAP Patch Day: September 2024

SAP Patch Day: September 2024

Calm Patch Day without any new HotNews and High Priority Notes

Author: Thomas Fritsch

Highlights of September SAP Security Notes analysis include:

  • September Summary Nineteen new and updated SAP security patches released, including updates to one HotNews Note and one High Priority Note
  • Updated Notes Review of updated notes strongly recommended
  • Onapsis Research Labs Contribution Our team supported SAP in patching twelve vulnerabilities covered by seven SAP Security Notes

SAP has published nineteen new and updated SAP Security Notes in its September Patch Day, including updates to one HotNews Note and one High Priority Note.??

HotNews Note #3479478, tagged with a CVSS score of 9.8, was initially released on SAP’s August Patch Day and patches a Missing Authentication Check vulnerability in SAP BusinessObjects Business Intelligence Platform. The updated note provides workaround instructions for customers who can’t apply the patch immediately. In addition, the validity of the note was extended to release 420 of the Enterprise software component.

High Priority Note #3459935, tagged with a CVSS score of 7.4, patches an Information Disclosure vulnerability in SAP Commerce Cloud. Customers who already applied the patch after its initial release in August should review the note since SAP has updated the fixing version from SAP Commerce Cloud Update Release 2211.27 to SAP Commerce Cloud Update Release 2211.28.

Onapsis Contribution

Once more, the Onapsis Research Labs (ORL) significantly contributed to SAP’s Patch Day. The team supported SAP in patching twelve vulnerabilities, covered by seven SAP Security Notes.?

SAP Security Notes #3497347 and #3501359, both tagged with a CVSS score of 6.1, patch Cross-Site Scripting vulnerabilities in eProcurement on S/4HANA and CRM Blueprint Application Builder Panel. Weak encoding and insufficient validation of user-controlled input allow attackers to inject malicious scripts that are executed by unsuspecting users. This gives attackers the ability to access and/or modify information with low impact on confidentiality and integrity.?

SAP Security Note #3488341, tagged with a CVSS score of 6.5, patches a Missing Authorization Check vulnerability in SAP Production and Revenue Accounting. A remote-enabled function module of an obsolete application interface allows generic reading of arbitrary table data. SAP has patched the issue by adding an appropriate authorization check. Keeping the function module unpatched could lead to disclosure of highly sensitive data.

SAP Security Note #3488039, tagged with a CVSS score of 5.4, patches six Missing Authorization Check vulnerabilities in various RFC-enabled function modules that can be used to alter the Easy Access menu of legitimate users in a malicious way. Most of the vulnerabilities have a low impact on the integrity and availability of the application. Only one vulnerability affects confidentiality. Nevertheless, one of the vulnerabilities, tracked under CVE-2024-45285, allows a low privileged attacker to send a crafted packet in the vulnerable function module targeting a specific user. This user will no longer have access to any functionality of SAP GUI and will thus experience a total loss of application availability. All vulnerable function modules have been patched by no longer allowing external access.

SAP Security Note #3505293, tagged with a CVSS score of 4.3, patches a Missing Authorization Check vulnerability in SAP for Oil & Gas. Due to the missing authorization check, an attacker with non-administrative user privileges could call a remote-enabled function module which will allow them to delete entries in a user data table. The patch adds an appropriate authorization check.

SAP Security Notes #3481588 and #3481992, both tagged with a CVSS score of 4.3, patch two Information Disclosure vulnerabilities in SAP BW (BEx Analyzer). Due to missing authorization checks, they allow an authenticated attacker to access information over the network which is otherwise restricted.

Summary & Conclusions

With no new HotNews and no new High Priority Notes, SAP’s September Patch Day represents another calm Patch Day. A significant number of the SAP Security Notes patches are Missing Authorization Check vulnerabilities in RFC-enabled function modules. It is with great pleasure that the Onapsis Research Labs have been able to contribute to the identification of a significant number of vulnerabilities.

SAP Note Table 1
SAP Note Table 2

As always, the Onapsis Research Labs are already updating The Onapsis Platform to incorporate the newly published vulnerabilities into the product so that our customers can protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, watch our monthly Defenders Digest or subscribe to The Defenders Monthly on LinkedIn.

要查看或添加评论,请登录

Onapsis的更多文章

社区洞察

其他会员也浏览了