On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes.
There were 3 updates to previously released Security Notes.
Notes by severity
| HotNews | 2 |
| Correction with high priority | 6 |
| Correction with medium priority | 7 |
| Correction with low priority | 1 |
Highlights
On February Patch Day SAP presents 8 high-severity Notes, with 2 of them rated as HotNews.
We will start our digest today with the usual update for the Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 10.
This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information. Despite this Note has been updated pretty frequently, we advise you to pay the attention necessary to keep your Chromium resources up-to-date.
The next HotNews will be the security Note 3420923 for SAP ABA – Code Injection vulnerability in SAP ABA (Application Basis) – with a CVSS Score of 9.1.
A vulnerable interface of SAP Application Basis could be used by an attacker who has authenticated as a user with authorization for remote execution. This gives the attacker the ability to use the interface to call an application function and carry out operations that they would not typically be permitted to execute. The attacker can render the entire system unavailable and read or alter any user or company data, depending on the action that is performed.
As for the opener of our high severity Notes for today we will place the Note 3417627 – Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) – with a CVSS Score of 8.8.
Before adding the incoming parameters into the redirect URL, SAP NetWeaver AS for Java‘s User Admin application incorrectly encodes and fails to fully check the values of the parameters. This gives rise to a vulnerability known as Cross-Site Scripting (XSS), which has a significant effect on confidentiality and a less significant effect on integrity and availability.
The next Note for NetWeaver AS Java to highlight will be 3426111 – XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures) – with a CVSS Score of 8.6.
An unauthenticated attacker can send a malicious request over the network using SAP NetWeaver AS Java (CAF – Guided Procedures) and a forged XML file. Once the request is parsed, the attacker can access sensitive files and data but cannot modify them. To ensure that availability is unaffected, expansion limitations are in place.
Weakly configured XML parser is used to process the request data, but now you can implement the corrections presented in the Note to saveguard you Guided Procedures.
SAP CRM receives a security patch described in the Note 3410875 – Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) – with a CVSS Score of 7.6.
SAP CRM‘s print preview option User-controlled inputs are not appropriately encoded by WebClient UI, which creates a cross-site scripting vulnerability. After a successful exploitation, an attacker with low privileges can only have a limited influence on the application data’s confidentiality and integrity.
You can find properly encoded corrections for textareas in the corresponding Note.
For SAP IDES Systems component security team releases a specific patch described in the Note 3421659 – Code Injection vulnerability in SAP IDES Systems – with a CVSS Score of 7.4.
Code in SAP IDES ECC* systems allows the user to execute whatever program code they like. Because of this, an attacker can take control of the system’s behavior by running malicious code, which has little effect on the system’s confidentiality, integrity, or availability but has the ability to escalate privileges.
* – SAP IDES stands for “Internet Demonstration and Evaluation System” in the R/3 System which has been used to trial and test SAP software. These systems contain a significant amount of demo data for various business scenarios that can be run in the SAP systems.
Another high-severity Note 3424610 is dedicated to SAP Cloud Connector vulnerability mitigation – Improper Certificate Validation in SAP Cloud Connector – with a CVSS Score of 7.4.
An attacker may pose as a legitimate server and communicate with SCC, circumventing mutual authentication, as a result of incorrect certificate validation in SAP Cloud Connector. Therefore, the request to access or edit sensitive information can be intercepted by the attacker.There is no effect on the system’s availability.
The last Note to highlight today is an update for the Note 3385711 – Information disclosure vulnerability in SAP NetWeaver Application Server ABAP – with a CVSS Score of 7.3.
An unauthorized attacker can obtain confidential and restricted information through SAP NetWeaver Application Server ABAP. Furthermore, this vulnerability permits an unauthorized attacker to establish Layout configurations for the ABAP List Viewer, which may have a minimal effect on integrity and availability. For example, it may cause the AS ABAP to respond more slowly.
This Security Note was re-released with updated title, symptom section and Reason and Prerequisites to give more precise information about the vulnerability.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10.0
|
CVSS: 3.0/AV:N/ AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CA-SUR | 3420923 | [CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application Basis) | HotNews |
9.1
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| BC-JAS-SEC-UME | 3417627 | [CVE-2024-22126] Cross Site Scripting vulnerability in NetWeaver AS Java (User Admin Application) | high |
8.8
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L |
| BC-GP | 3426111 | [CVE-2024-24743] XXE vulnerability in SAP NetWeaver AS Java (Guided Procedures) | high |
8.6
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N |
| CA-WUI-UI | 3410875 | [CVE-2024-22130] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) | high |
7.6
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:L/A:N |
| XX-IDES | 3421659 | [CVE-2024-22132] Code Injection vulnerability in SAP IDES Systems | high |
7.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L |
| BC-MID-SCC | 3424610 | [CVE-2024-25642] Improper Certificate Validation in SAP Cloud Connector | high |
7.4
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| BC-FES-WGU | 3385711 | [CVE-2023-49580] Information disclosure vulnerability in SAP NetWeaver Application Server ABAP | high |
7.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| FIN-FSCM-CLM | 2637727 | [CVE-2024-24739] Missing authorization check in SAP Bank Account Management | medium |
6.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L |
| KM-SEN-CMP | 3404025 | [CVE-2024-22129] Cross-Site Scripting (XSS) vulnerability in SAP Companion | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| BC-FES-ITS | 3360827 | [CVE-2024-24740] Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP (SAP Kernel) | medium |
5.3
|
CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-FES-BUS | 3396109 | [CVE-2024-22128] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML | medium |
4.7
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
| PA-FIO-OVT | 3237638 | [CVE-2024-25643] Missing authorization check in SAP Fiori app ("My Overtime Requests") | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CA-MDG-APP-MM | 2897391 | [CVE-2024-24741] Missing Authorization check in SAP Master Data Governance Material | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| CA-WUI-WKB | 3158455 | [CVE-2024-24742] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) | medium |
4.1
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:N/I:L/A:N |
| CA-MDG-ML | 3363690 | [CVE-2023-49058] Directory Traversal vulnerability in SAP Master Data Governance | low |
3.5
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:N/A:N |
