SAP Security Notes – April 2024 - Safe O'Clock

SAP Security Notes – April 2024

April 9, 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes.

There were 2 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 0
Correction with high priority 3
Correction with medium priority 9
Correction with low priority 0

 

Highlights


On April Patch Day SAP presents 3 high-severity Notes, with none of them rated as HotNews.

April Patch Day did not bring HotNews security Notes for the table, however, there are a decent number of high-severity notes. We will describe some of the medium-severity released and updated Notes for you as well.

First of all, SAP NetWeaver AS Java received a high-severity security patch with the Note 3434839Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine – with a CVSS Score of 8.8.
“Self-Registration” and “Modify your own profile” in NetWeaver AS’s User Admin Application Java does not apply the appropriate security constraints to the newly defined security answer’s content. An attacker might use this to severely compromise confidentiality while having minimal effect on availability and integrity.
The User Admin Application did not enforce security criteria for the Security Answer‘s content because of historical factors, so we advise you to pay attention to this patch for your systems.

The next patch to talk about is the Note 3421384Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence – with a CVSS Score of 7.7.
Owing to inadequate validation, the SAP BusinessObject Business Intelligence Launch Pad permits a legitimate attacker to obtain operating system data using a carefully constructed document. The application’s confidentiality may be significantly impacted by a successful exploitation.

Further we have a patch for SAP Asset Accounting, the Note 3438234Directory Traversal vulnerability in SAP Asset Accounting – with a CVSS Score of 7.2.
Through SAP Asset Accounting, a high-privilege attacker may be able to take advantage of inadequate user-provided path validation and transfer it to the file APIs. Consequently, this has a significant effect on the application’s availability, integrity, and secrecy.
Corresponding workarounds and solutions are presented in the ‘Solution’ section of the Note.

That’s it with the high-severity Notes, but further medium-severity Notes will be an honorable mention. Note 3442741Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL) – with a CVSS Score of 6.8.
Open Source ash.c:6030 in busybox has a stack overflow vulnerability that, if exploited, allows the execution of arbitrary code from the command line inside a container image. However, no instructions can be executed through the application itself, and this vulnerability can only be exploited in situations where access to containers that are operating is unrestricted, which has a significant negative influence on confidentiality, integrity, and availability.

Another medium-severity Note to go is 3359778Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform – with a CVSS Score of 6.5.
Through service flooding or crashes, an attacker can block access to a service by using the ABAP Application Server of SAP NetWeaver and the ABAP Platform. This has a significant effect on availability.

And the last for today, it will be handy to mention the released update for the Note 3164677Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) – with a CVSS Score of 6.5.
This note has been re-released with updated ‘Correction instruction’ information. SAP added the prerequisite note 3149225 in the correction instruction, so the following Note will describe both situations in detail.

That is all for today about the most important April SAP security updates.
Stay safe!

SAP Component Number Description Priority CVSS CVSS Vector
BC-JAS-SEC-UME 3434839 [CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine high 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
BI-RA-WBI 3421384 [CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence high 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
FI-AA-AA-A 3438234 [CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting high 7.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
LOD-HCI-PI-OP-NM 3442741 Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL) medium 6.8 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
BC-CST-DP 3359778 [CVE-2024-30218] Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
FIN-CS-CDC-DC 3442378 [CVE-2024-28167] Missing Authorization check in SAP Group Reporting Data Collection (Enter Package Data) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
PA-FIO-LEA 3164677 [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
MM-FIO-PUR-REQ-SSP 3156972 [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-ESI-WS-JAV-RT 3425188 [CVE-2024-27898] Server-Side Request Forgery in SAP NetWeaver (tc~esi~esp~grmg~wshealthcheck~ear) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-MID-BUS 3421453 [Multiple CVEs] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Connector medium 4.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N
FIN-FSCM-CLM-BAM 3427178 [CVE-2024-30216] Missing Authorization check in SAP S/4 HANA (Cash Management) medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
FIN-FSCM-CLM-BAM 3430173 [CVE-2024-30217] Missing Authorization check in SAP S/4 HANA (Cash Management) medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – May 2024

On the 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. There were […]

Read more
SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK