On the 11th of June 2024, SAP Security Patch Day saw the release of 10 new Security Notes.
There were 2 updates to previously released Security Notes.
Notes by severity
| HotNews | 0 |
| Correction with high priority | 2 |
| Correction with medium priority | 8 |
| Correction with low priority | 2 |
Highlights
On June Patch Day SAP presents 2 high-severity Notes, with none of them rated as HotNews.
Despite the fact that the June patch day can delight us with only a few high-priority vulnerabilities, we’ll share with you what you need to pay attention to first in this monthly SAP security Notes update.
Starting today’s digest with SAP Financial Consolidation security patch Note 3457592 – Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation – with a CVSS Score of 8.1.
Two vulnerabilities in SAP Financial Consolidation are addressed in this security note:
Reflected XSS: Data can enter a Web application through an untrusted source thanks to SAP Financial Consolidation. The user can alter the content on the website by accessing these endpoints, which are visible across the network. An attacker has the potential to seriously compromise the application’s integrity and confidentiality if they are successful in their exploit.
Stored XSS: An XSS vulnerability arises from SAP Financial Consolidation‘s inadequate encoding of user-controlled inputs. The network can access these endpoints. Resources outside of the compromised component can be exploited by the vulnerability. An attacker can only slightly compromise the application’s secrecy if they are successful in their exploit.
You can find additional information on Note corrections and prerequisites in CVE-2024-37177 and CVE-2024-37178 guidelines correspondingly.
The next high-severity security Note to highlight will be the Note 3460407 – Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) – with a CVSS Score of 7.5.
Attackers can launch denial-of-service (DoS) attacks against SAP NetWeaver AS Java because of the unfettered access to the Meta Model Repository services, which could bar genuine users from using the program. This may have little effect on integrity and confidentiality but a significant influence on the application’s accessibility.
Another Note to bring forward is medium-severity Note 3453170 – Denial of service (DOS) in SAP NetWeaver and ABAP platform – with a CVSS Score of 6.5.
By overloading or disrupting the service, an attacker might obstruct legitimate users’ ability to access SAP NetWeaver and the ABAP platform.
This Denial of Service vulnerability may result in lengthy response times and service outages, which would negatively affect the quality of service that authorized users receive and have a significant effect on the application’s availability.
SAP Document Builder received a patch today in the face of the Note 3459379 – Unrestricted file upload in SAP Document Builder (HTTP service) – with a CVSS Score of 6.5.
Malicious files can be uploaded to the SAP Document Builder service by an authorized attacker. The attacker is free to view, alter, or prevent the victim’s browser from displaying any associated content when they gain access to this file.
The last Note with 6.5 CVSS Score for today will be 3466175 – Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files).
The application Manage Incoming Payment Files (F1680) of SAP S/4HANA fails to carry out the required authorization checks for a verified user, which leads to privilege escalation. Consequently, it has little effect on the system’s availability or confidentiality and a significant impact on its integrity.
Today’s patch was a good start for SAP’s summer security improvement season. We look forward to informing you of every next significant vulnerability of this summer.
Stay safe!
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| EPM-BFC-TCL | 3457592 | [CVE-2024-37177] Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation | high |
8.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| BC-DWB-JAV-MMR | 3460407 | [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) | high |
7.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| SV-SMG-SDD | 3453170 | [CVE-2024-33001] Denial of service (DOS) in SAP NetWeaver and ABAP platform | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CA-GTF-DOB | 3459379 | [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L |
| FI-FIO-AR-PAY | 3466175 | [CVE-2024-34691] Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N |
| CA-WUI-UI | 3465129 | [CVE-2024-34686] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BC-MID-AC | 3450286 | [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BW4-DM-TRFN | 3465455 | [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP | medium |
5.5
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:L/A:L |
| IS-HER-CM-AD | 3457265 | [CVE-2024-34690] Missing Authorization check in SAP Student Life Cycle Management (SLcM) | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N |
| BC-GP | 3425571 | [CVE-2024-28164] Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures) | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| FI-CF-INF | 2638217 | Switchable Authorization Checks in Central Finance Infrastructure Components | low |
3.9
|
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:L/A:L |
| BI-BIP-PUB | 3441817 | [CVE-2024-34684] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling) | low |
3.7
|
CVSS:3.0/AV:L/AC:H/PR:H/UI:R/S:C/C:L/I:L/A:N |
