SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes.

There were 2 updates to previously released Security Notes.

Notes by severity

Highlights

On April Patch Day SAP presents 3 high-severity Notes, with none of them rated as HotNews.

April Patch Day did not bring HotNews security Notes for the table, however, there are a decent number of high-severity notes. We will describe some of the medium-severity released and updated Notes for you as well.

First of all, SAP NetWeaver AS Java received a high-severity security patch with the Note 3434839 – Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine – with a CVSS Score of 8.8.
“Self-Registration” and “Modify your own profile” in NetWeaver AS’s User Admin Application Java does not apply the appropriate security constraints to the newly defined security answer’s content. An attacker might use this to severely compromise confidentiality while having minimal effect on availability and integrity.
The User Admin Application did not enforce security criteria for the Security Answer‘s content because of historical factors, so we advise you to pay attention to this patch for your systems.

The next patch to talk about is the Note 3421384 – Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence – with a CVSS Score of 7.7.
Owing to inadequate validation, the SAP BusinessObject Business Intelligence Launch Pad permits a legitimate attacker to obtain operating system data using a carefully constructed document. The application’s confidentiality may be significantly impacted by a successful exploitation.

Further we have a patch for SAP Asset Accounting, the Note 3438234 – Directory Traversal vulnerability in SAP Asset Accounting – with a CVSS Score of 7.2.
Through SAP Asset Accounting, a high-privilege attacker may be able to take advantage of inadequate user-provided path validation and transfer it to the file APIs. Consequently, this has a significant effect on the application’s availability, integrity, and secrecy.
Corresponding workarounds and solutions are presented in the ‘Solution’ section of the Note.

That’s it with the high-severity Notes, but further medium-severity Notes will be an honorable mention. Note 3442741 – Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL) – with a CVSS Score of 6.8.
Open Source ash.c:6030 in busybox has a stack overflow vulnerability that, if exploited, allows the execution of arbitrary code from the command line inside a container image. However, no instructions can be executed through the application itself, and this vulnerability can only be exploited in situations where access to containers that are operating is unrestricted, which has a significant negative influence on confidentiality, integrity, and availability.

Another medium-severity Note to go is 3359778 – Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform – with a CVSS Score of 6.5.
Through service flooding or crashes, an attacker can block access to a service by using the ABAP Application Server of SAP NetWeaver and the ABAP Platform. This has a significant effect on availability.

And the last for today, it will be handy to mention the released update for the Note 3164677 – Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) – with a CVSS Score of 6.5.
This note has been re-released with updated ‘Correction instruction’ information. SAP added the prerequisite note 3149225 in the correction instruction, so the following Note will describe both situations in detail.

That is all for today about the most important April SAP security updates.
Stay safe!