SAP Security Notes – May 2024 - Safe O'Clock

SAP Security Notes – May 2024

May 14, 2024

On the 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes.

There were 3 updates to previously released Security Notes.

 

Notes by severity

 

HotNews 3
Correction with high priority 1
Correction with medium priority 10
Correction with low priority 3

 

Highlights


On May Patch Day SAP presents 4 high-severity Notes, with 3 of them rated as HotNews.

 

May Patch Day brought us several high priority NetWeaver AS ABAP security updates along with various additional improvements. We will break down essential ones below for you today.

Let us start today’s digest with the usual highly-prioritized 3rd party Google Chromium browser update with the Note 2622660Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 10.0.
This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information.

The next in order will be Note 3455438Multiple vulnerabilities in SAP CX Commerce – with the CVSS Score of 9.8.
The Note contains a number of corrections dedicated to CSS Injection and Remote Code Execution vulnerabilities correspondingly.
The Swagger UI used by SAP CX Commerce is susceptible to CVE-2019-17495 (CSS injection). This vulnerability puts the application’s confidentiality, integrity, and availability at serious risk by allowing attackers to use the Relative Path Overwrite (RPO) approach in CSS-based input fields. This correction obtains a 9.8 CVSS Score.
SAP CX Commerce with Apache Calcite Avatica 1.18.0 is susceptible to CVE-2022-36364 (Remote code execution) as a result of incorrect initialization. HTTP client instances are created by the Apache Calcite Avatica JDBC driver using the class names that are supplied through the `httpclient_impl} connection attribute. Nevertheless, the driver doesn’t check to see if the class implements the anticipated interface before instantiating it, which may result in remote code execution or code execution loaded via arbitrary classes in unusual circumstances.

This correction obtains a 8.8 CVSS Score.

Further we have a couple on Notes dedicated to SAP NetWeaver AS ABAP security:
The HotNews Note 3448171File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform – with a CVSS Score of 9.6.
When a victim accesses a malicious file uploaded by an unauthorized attacker, the attacker can gain total control over the system. More sufficient information for the Note could be found in bonded CVE-2024-33006.

And the Note 3448445Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform – with a CVSS Score of 6.5.
An XSS vulnerability arises from SAP NetWeaver Application Server for ABAP and ABAP Platform‘s insufficient encoding of user-controlled inputs. An attacker has the ability to manipulate code that runs in a user’s browser. This can lead to data modification or deletion, including access to or deletion of files, or the theft of session cookies, which an attacker could then use to take control of a user’s session. Thus, this might affect the system’s availability, integrity, and confidentiality.


The next high severity 3431794 Note brings the correction for SAP BusinessObjects Business Intelligence PlatformCross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform – with the CVSS Score of 8.1.
An attacker may be able to alter a parameter in the Opendocument URL on the SAP Business Objects Business Intelligence Platform through stored XSS vulnerability, which might have a significant impact on the application’s confidentiality and integrity.

And the last one for the breakdown will be 3441944 Note, interesting to highlight – Missing authorization check in SAP Enable Now Manager – with the CVSS Score of 6.5.
As a result of SAP Enable Now Manager failing to carry out the required authorization checks for an authenticated user, privileges can escalate. The confidentiality of the application will be greatly impacted if the attacker using the role of “Learner” is able to successfully exploit other users’ data in the manager.

That is all for today about the most important May SAP security updates.

Stay safe!



SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CEC-SCC-PLA-PL 3455438 [CVE-2019-17495] Multiple vulnerabilities in SAP CX Commerce HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BC-SRV-KPR-CMS 3448171 [CVE-2024-33006] File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform HotNews 9.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
BI-BIP-INV 3431794 [CVE-2024-28165] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform HotNews 8.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N
KM-SEN-MGR 3441944 [CVE-2024-32730] Missing authorization check in SAP Enable Now Manager medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-SRV-GBT-GOS 3448445 [CVE-2024-34687] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
BC-MID-AC 3450286 [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-EIM-ESH 3460772 [CVE-2024-33002] Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
FI-TV-ODT-MTR 3447467 [CVE-2024-32731] Missing Authorization check in SAP My Travel Requests medium 5.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
BC-XI-IBD-INF 2745860 Information Disclosure in Enterprise Services Repository of SAP Process Integration medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
BC-SYB-REP 3349468 [CVE-2024-33008] Memory Corruption vulnerability in SAP Replication Server medium 4.9 CVSS:/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H
FI-FIO-AR-PAY 3434666 [Multiple CVEs] Missing Authorization Checks in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules) medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
BI-BIP-INV 3449093 [CVE-2024-33004] Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices) medium 4.3 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
BC-XI-IBC 2174651 Potential information disclosure relating to PI Integration Directory medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
EHS-SAF-GLM 1938764 [CVE-2024-33009] SQL injection vulnerability in SAP Global Label Management (GLM) medium 4.2 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
FIN-FSCM-CLM-BAM 3392049 [CVE-2024-33000] Missing Authorization check in SAP Bank Account Management low 3.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N
CA-UI5-SC 3446076 [CVE-2024-33007] Client-side script execution vulnerability in SAP UI5(PDFViewer) low 3.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – May 2024

On the 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. There were […]

Read more
SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK