SAP Security Notes – March 2024 - Safe O'Clock

SAP Security Notes – March 2024

March 12, 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes.

There were 2 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 3
Correction with high priority 3
Correction with medium priority 6
Correction with low priority 0

 

Highlights


On March Patch Day SAP presents 6 high-severity Notes, with 3 of them rated as HotNews.

 

Common update for the Note 2622660Security updates for the browser control Google Chromium delivered with SAP Business Client will be the opening HotNews Note for today – with a CVSS Score of 10. 

This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information. Despite this Note has been updated pretty frequently, we advise you to pay the attention necessary to keep your Chromium resources up-to-date.

 

Vulnerability in applications built with SAP Build Apps was described in the next Note 3425274Code Injection vulnerability in applications built with SAP Build Apps – with a CVSS Score of 9.4.

A code injection vulnerability identified in CVE-2019-10744 affects applications created with SAP Build Apps. This vulnerability gives attackers the ability to execute instructions on the system without authorization, which could have a minimal impact on secrecy but a big impact on the application’s integrity and availability.

 

SAP NetWeaver AS Java received a patch in the Note 3433192Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in) – with a CVSS Score of 9.1.
An attacker with elevated rights can upload potentially hazardous files using the Administrator Log Viewer plug-in, which creates a command injection vulnerability. This would give the attacker the ability to execute commands, which might have a serious impact on the application’s availability, confidentiality, and integrity.

SAP Commerce Cloud gets a ‘Solution’ information high-priority update in this patch with the Note 3346500Improper authentication in SAP Commerce Cloud – with a CVSS Score of 8.8.

Users may be able to log into SAP Commerce Cloud without a passphrase in some installations where the user ID and passphrase fields accept an empty passphrase.

This note has been re-released from August 8th of 2023 with updated ‘Solution’ information.

Another high-priority fix for today to highlight will be Note 3410615Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced – with CVSS Score of 7.5.

An unauthorized user can launch a denial-of-service attack on a network by sending out a large number of HTTP/2 requests and then canceling them later using SAP HANA XS Classic and HANA XS Advanced. This action could result in memory flooding and have a significant impact on the application’s availability. The integrity and confidentiality of the application are unaffected.

 

And the last one to describe will be Note 3414195 Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console) – with a CVSS Score of 7.2.
A version of Apache Struts used by SAP BusinessObjects Business Intelligence Platform CMC is susceptible to CVE-2023-50164. This might be exploited by a user with elevated privileges, which could have a serious effect on the application’s availability, confidentiality, and integrity.

That is all for today about the most important March SAP security updates.
Stay safe!

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:H
CA-LCA-ACP 3425274 [CVE-2019-10744] Code Injection vulnerability in applications built with SAP Build Apps HotNews 9.4 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
BC-JAS-ADM-LOG 3433192 [CVE-2024-22127] Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in) HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
CEC-SCC-PLA-PL 3346500 [CVE-2023-39439] Improper authentication in SAP Commerce Cloud high 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
HAN-AS-XS 3410615 [CVE-2023-44487 ] Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
BI-BIP-CMC 3414195 [CVE-2023-50164] Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console) high 7.2 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
BC-FES-WGU 3377979 [CVE-2024-27902] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP, applications based on SAPGUI for HTML (WebGUI) medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BC-ESI-WS-JAV-RT 3425682 [CVE-2024-25644] Information Disclosure vulnerability in SAP NetWeaver (WSRM) medium 5.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
EP-PIN-APF-OPR 3428847 [CVE-2024-25645] Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-XI-IBF-UI 3434192 [CVE-2024-28163] Information Disclosure vulnerability in SAP NetWeaver Process Integration (Support Web Pages) medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
PA-FIO-LEA 3417399 [CVE-2024-22133] Improper Access Control in SAP Fiori Front End Server medium 4.6 CVSS:/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:N
BC-SRV-APS-APJ 3419022 [CVE-2024-27900]Missing Authorization check in SAP ABAP Platform medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for February 2024

SAP strengthens AI growth areas  In recent years, artificial intelligence has rightfully begun to gain increasing popularity among developers – […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK