SAP Security Notes – February 2024 - Safe O'Clock

SAP Security Notes – February 2024

February 13, 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes.

There were 3 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 2
Correction with high priority 6
Correction with medium priority 7
Correction with low priority 1

 

Highlights


On February Patch Day SAP presents 8 high-severity Notes, with 2 of them rated as HotNews.

 

We will start our digest today with the usual update for the Note 2622660Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 10. 

This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information. Despite this Note has been updated pretty frequently, we advise you to pay the attention necessary to keep your Chromium resources up-to-date.

 

The next HotNews will be the security Note 3420923 for SAP ABACode Injection vulnerability in SAP ABA (Application Basis) – with a CVSS Score of 9.1.

A vulnerable interface of SAP Application Basis could be used by an attacker who has authenticated as a user with authorization for remote execution. This gives the attacker the ability to use the interface to call an application function and carry out operations that they would not typically be permitted to execute. The attacker can render the entire system unavailable and read or alter any user or company data, depending on the action that is performed.

 

As for the opener of our high severity Notes for today we will place the Note 3417627Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) – with a CVSS Score of 8.8.

Before adding the incoming parameters into the redirect URL, SAP NetWeaver AS for Java‘s User Admin application incorrectly encodes and fails to fully check the values of the parameters. This gives rise to a vulnerability known as Cross-Site Scripting (XSS), which has a significant effect on confidentiality and a less significant effect on integrity and availability.

 

The next Note for NetWeaver AS Java to highlight will be 3426111XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures) – with a CVSS Score of 8.6.

An unauthenticated attacker can send a malicious request over the network using SAP NetWeaver AS Java (CAF – Guided Procedures) and a forged XML file. Once the request is parsed, the attacker can access sensitive files and data but cannot modify them. To ensure that availability is unaffected, expansion limitations are in place.

Weakly configured XML parser is used to process the request data, but now you can implement the corrections presented in the Note to saveguard you Guided Procedures.

 

SAP CRM receives a security patch described in the Note 3410875Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) – with a CVSS Score of 7.6.

SAP CRM‘s print preview option User-controlled inputs are not appropriately encoded by WebClient UI, which creates a cross-site scripting vulnerability. After a successful exploitation, an attacker with low privileges can only have a limited influence on the application data’s confidentiality and integrity.

You can find properly encoded corrections for textareas in the corresponding Note.

 

For SAP IDES Systems component security team releases a specific patch described in the Note 3421659Code Injection vulnerability in SAP IDES Systems – with a CVSS Score of 7.4.

Code in SAP IDES ECC* systems allows the user to execute whatever program code they like. Because of this, an attacker can take control of the system’s behavior by running malicious code, which has little effect on the system’s confidentiality, integrity, or availability but has the ability to escalate privileges.

* – SAP IDES stands for “Internet Demonstration and Evaluation System” in the R/3 System which has been used to trial and test SAP software. These systems contain a significant amount of demo data for various business scenarios that can be run in the SAP systems.

 

Another high-severity Note 3424610 is dedicated to SAP Cloud Connector vulnerability mitigation – Improper Certificate Validation in SAP Cloud Connector – with a CVSS Score of 7.4.

An attacker may pose as a legitimate server and communicate with SCC, circumventing mutual authentication, as a result of incorrect certificate validation in SAP Cloud Connector. Therefore, the request to access or edit sensitive information can be intercepted by the attacker.There is no effect on the system’s availability.

 

The last Note to highlight today is an update for the Note 3385711Information disclosure vulnerability in SAP NetWeaver Application Server ABAP – with a CVSS Score of 7.3.

An unauthorized attacker can obtain confidential and restricted information through SAP NetWeaver Application Server ABAP. Furthermore, this vulnerability permits an unauthorized attacker to establish Layout configurations for the ABAP List Viewer, which may have a minimal effect on integrity and availability. For example, it may cause the AS ABAP to respond more slowly.
This Security Note was re-released with updated title, symptom section and Reason and Prerequisites to give more precise information about the vulnerability.

Summary

 

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS: 3.0/AV:N/ AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CA-SUR 3420923 [CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application Basis) HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
BC-JAS-SEC-UME 3417627 [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) high 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
BC-GP 3426111 [CVE-2024-24743] XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures) high 8.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N
CA-WUI-UI 3410875 [CVE-2024-22130] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) high 7.6 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N
XX-IDES 3421659 [CVE-2024-22132] Code Injection vulnerability in SAP IDES Systems high 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
BC-MID-SCC 3424610 [CVE-2024-25642] Improper Certificate Validation in SAP Cloud Connector high 7.4 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N
BC-FES-WGU 3385711 [CVE-2023-49580] Information disclosure vulnerability in SAP NetWeaver Application Server ABAP high 7.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
FIN-FSCM-CLM 2637727 [CVE-2024-24739] Missing authorization check in SAP Bank Account Management medium 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
KM-SEN-CMP 3404025 [CVE-2024-22129] Cross-Site Scripting (XSS) vulnerability in SAP Companion medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BC-FES-ITS 3360827 [CVE-2024-24740] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel) medium 5.3 CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-FES-BUS 3396109 [CVE-2024-22128] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML medium 4.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
PA-FIO-OVT 3237638 [CVE-2024-25643] Missing authorization check in SAP Fiori app ("My Overtime Requests") medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CA-MDG-APP-MM 2897391 [CVE-2024-24741] Missing Authorization check in SAP Master Data Governance Material medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CA-WUI-WKB 3158455 [CVE-2024-24742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) medium 4.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N
CA-MDG-ML 3363690 [CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance low 3.5 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for February 2024

SAP strengthens AI growth areas  In recent years, artificial intelligence has rightfully begun to gain increasing popularity among developers – […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK