On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes.
There were 2 updates to previously released Security Notes.
Notes by severity
| HotNews | 3 |
| Correction with high priority | 3 |
| Correction with medium priority | 6 |
| Correction with low priority | 0 |
Highlights
On March Patch Day SAP presents 6 high-severity Notes, with 3 of them rated as HotNews.
Common update for the Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client will be the opening HotNews Note for today – with a CVSS Score of 10.
This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information. Despite this Note has been updated pretty frequently, we advise you to pay the attention necessary to keep your Chromium resources up-to-date.
Vulnerability in applications built with SAP Build Apps was described in the next Note 3425274 – Code Injection vulnerability in applications built with SAP Build Apps – with a CVSS Score of 9.4.
A code injection vulnerability identified in CVE-2019-10744 affects applications created with SAP Build Apps. This vulnerability gives attackers the ability to execute instructions on the system without authorization, which could have a minimal impact on secrecy but a big impact on the application’s integrity and availability.
SAP NetWeaver AS Java received a patch in the Note 3433192 – Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in) – with a CVSS Score of 9.1.
An attacker with elevated rights can upload potentially hazardous files using the Administrator Log Viewer plug-in, which creates a command injection vulnerability. This would give the attacker the ability to execute commands, which might have a serious impact on the application’s availability, confidentiality, and integrity.
SAP Commerce Cloud gets a ‘Solution’ information high-priority update in this patch with the Note 3346500 – Improper authentication in SAP Commerce Cloud – with a CVSS Score of 8.8.
Users may be able to log into SAP Commerce Cloud without a passphrase in some installations where the user ID and passphrase fields accept an empty passphrase.
This note has been re-released from August 8th of 2023 with updated ‘Solution’ information.
Another high-priority fix for today to highlight will be Note 3410615 – Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced – with CVSS Score of 7.5.
An unauthorized user can launch a denial-of-service attack on a network by sending out a large number of HTTP/2 requests and then canceling them later using SAP HANA XS Classic and HANA XS Advanced. This action could result in memory flooding and have a significant impact on the application’s availability. The integrity and confidentiality of the application are unaffected.
And the last one to describe will be Note 3414195 – Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console) – with a CVSS Score of 7.2.
A version of Apache Struts used by SAP BusinessObjects Business Intelligence Platform CMC is susceptible to CVE-2023-50164. This might be exploited by a user with elevated privileges, which could have a serious effect on the application’s availability, confidentiality, and integrity.
That is all for today about the most important March SAP security updates.
Stay safe!
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H |
| CA-LCA-ACP | 3425274 | [CVE-2019-10744] Code Injection vulnerability in applications built with SAP Build Apps | HotNews |
9.4
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| BC-JAS-ADM-LOG | 3433192 | [CVE-2024-22127] Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in) | HotNews |
9.1
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| CEC-SCC-PLA-PL | 3346500 | [CVE-2023-39439] Improper authentication in SAP Commerce Cloud | high |
8.8
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| HAN-AS-XS | 3410615 | [CVE-2023-44487 ] Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced | high |
7.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| BI-BIP-CMC | 3414195 | [CVE-2023-50164] Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console) | high |
7.2
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H |
| BC-FES-WGU | 3377979 | [CVE-2024-27902] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP, applications based on SAPGUI for HTML (WebGUI) | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| BC-ESI-WS-JAV-RT | 3425682 | [CVE-2024-25644] Information Disclosure vulnerability in SAP NetWeaver (WSRM) | medium |
5.3
|
CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| EP-PIN-APF-OPR | 3428847 | [CVE-2024-25645] Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal) | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-XI-IBF-UI | 3434192 | [CVE-2024-28163] Information Disclosure vulnerability in SAP NetWeaver Process Integration (Support Web Pages) | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| PA-FIO-LEA | 3417399 | [CVE-2024-22133] Improper Access Control in SAP Fiori Front End Server | medium |
4.6
|
CVSS:/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N |
| BC-SRV-APS-APJ | 3419022 | [CVE-2024-27900]Missing Authorization check in SAP ABAP Platform | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
