SAP Security Notes – January 2024 - Safe O'Clock

SAP Security Notes – January 2024

January 18, 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes.

There were 2 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 3
Correction with high priority 4
Correction with medium priority 4
Correction with low priority 1

 

Highlights


On January Patch Day SAP presents 7 high-severity Notes, with 3 of them rated as HotNews.

Let us start with patch for SAP Business Application Studio & SAP IDE – Note 3412456Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA – with a CVSS Score of 9.1.

Applications written in Node.js using the aforementioned development platforms and intended for deployment to the SAP BTP or Cloud Foundry environment may be susceptible to CVE-2023-49583 under specific circumstances.

SAP Edge Integration Cell received a patch with the Note 3413475Escalation of Privileges in SAP Edge Integration Cell – with a CVSS Score of 9.1.
Due to CVE-2023-49583 and CVE-2023-50422, the SAP Edge Integration Cell permits privilege escalation under specific circumstances. This cell is dependent on SAP BTP Security Services Integration Libraries and Programming Infrastructures. An unauthenticated attacker can get arbitrary permissions within the program upon successful exploitation.

The next Note to highlight will be the update for the Note 3411067Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries – with a CVSS Score of 9.1.
Specialized programming infrastructures and integration libraries for SAP BTP Security Services permit the escalation of rights under specific circumstances. An unauthenticated attacker can get arbitrary permissions within the program upon successful exploitation.
This note has been re-released with enhancements in the ‘Symptom’, ‘Reason and Prerequisites’ and ‘Solution’ sections.

That was it for HotNews notes, we will bring the description of high-severity ones next.


SAP Application Interface Framework received the Note 3411869Code Injection vulnerability in SAP Application Interface Framework (File Adapter) – with a CVSS Score of 8.4.
A high-privilege user in SAP Application Interface Framework File Adapter can directly execute OS commands and navigate through many layers via a function module. This gives the user control over how the application behaves. This has a significant effect on availability, integrity, and confidentiality.

Another high-severity note to describe will be Note 3389917Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform – with a CVSS Score of 7.5.
A denial-of-service (DoS) attack can be launched across a network by an unauthorized user using SAP Web Dispatcher, SAP NetWeaver Application Server ABAP, and ABAP Platform by sending out a large number of HTTP/2 requests and then canceling them. This action could result in memory flooding and have a significant impact on the application’s availability. The integrity and confidentiality of the application are unaffected.

SAP GUI, connector for Microsoft Edge specifically, gets the patch with the Note 3386378 Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) – with the CVSS Score of 7.4.
A highly sensitive piece of information that would normally be prohibited and have a significant impact on confidentiality can be accessed by an attacker under specific circumstances thanks to the Microsoft Edge browser SAP GUI connection extension.

The last Note to describe will be 3407617Improper Authorization check in SAP LT Replication Server – with a CVSS Score of 7.3.
The required authorization checks are not carried out by SAP LT Replication Server. This might give a highly-privileged attacker the opportunity to carry out inadvertent acts that escalate their privileges, which would seriously jeopardize the system’s availability, confidentiality, and integrity.

Summary

 

SAP Component Number Description Priority CVSS CVSS Vector
CA-BAS-S8D 3412456 [CVE-2023-49583] Escalation of Privileges in applications developed through SAP Business Application Studio, SAP Web IDE Full-Stack and SAP Web IDE for SAP HANA HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
BC-CP-IS-EDG-DPL 3413475 [Multiple CVEs] Escalation of Privileges in SAP Edge Integration Cell HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
BC-CP-CF-SEC-LIB 3411067 [Multiple CVEs] Escalation of Privileges in SAP Business Technology Platform (BTP) Security Services Integration Libraries HotNews 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
BC-SRV-AIF 3411869 [CVE-2024-21737] Code Injection vulnerability in SAP Application Interface Framework (File Adapter) high 8.4 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
BC-CST-IC 3389917 [CVE-2023-44487] Denial of service (DOS) in SAP Web Dispatcher, SAP NetWeaver Application server ABAP, and ABAP Platform high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
BC-FES-CTL 3386378 [CVE-2024-22125] Information Disclosure vulnerability in Microsoft Edge browser extension (SAP GUI connector for Microsoft Edge) high 7.4 CVSS:/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:N/A:N
CA-LT-SLT 3407617 [CVE-2024-21735] Improper Authorization check in SAP LT Replication Server high 7.3 CVSS:3.1/AV:A/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:H
FIN-FSCM-PF-IHB 3260667 [CVE-2024-21736] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management) medium 6.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
BC-JAS-SEC 3324732 [CVE-2023-31405] Log Injection vulnerability in SAP NetWeaver AS for Java (Log Viewer) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N
BC-SRV-COM 3387737 [CVE-2024-21738] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver ABAP Application Server and ABAP Platform medium 4.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:N/A:N
BC-CST-IC 3392626 [CVE-2024-22124] Information Disclosure vulnerability in SAP NetWeaver Internet Communication Manager medium 4.1 CVSS:3.0/AV:L/AC:H/PR:H/UI:N/S:U/C:H/I:N/A:N
CEC-MKT-DM-CON 3190894 [CVE-2024-21734] URL Redirection vulnerability in SAP Marketing (Contacts App) low 3.7 CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK