On the 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes.
There were 3 updates to previously released Security Notes.
Notes by severity
| HotNews | 3 |
| Correction with high priority | 1 |
| Correction with medium priority | 10 |
| Correction with low priority | 3 |
Highlights
On May Patch Day SAP presents 4 high-severity Notes, with 3 of them rated as HotNews.
May Patch Day brought us several high priority NetWeaver AS ABAP security updates along with various additional improvements. We will break down essential ones below for you today.
Let us start today’s digest with the usual highly-prioritized 3rd party Google Chromium browser update with the Note 2622660 – Security updates for the browser control Google Chromium delivered with SAP Business Client – with a CVSS Score of 10.0.
This note has been re-released with updated ‘Solution’ and ‘Support Packages & Patches’ information.
The next in order will be Note 3455438 – Multiple vulnerabilities in SAP CX Commerce – with the CVSS Score of 9.8.
The Note contains a number of corrections dedicated to CSS Injection and Remote Code Execution vulnerabilities correspondingly.
The Swagger UI used by SAP CX Commerce is susceptible to CVE-2019-17495 (CSS injection). This vulnerability puts the application’s confidentiality, integrity, and availability at serious risk by allowing attackers to use the Relative Path Overwrite (RPO) approach in CSS-based input fields. This correction obtains a 9.8 CVSS Score.
SAP CX Commerce with Apache Calcite Avatica 1.18.0 is susceptible to CVE-2022-36364 (Remote code execution) as a result of incorrect initialization. HTTP client instances are created by the Apache Calcite Avatica JDBC driver using the class names that are supplied through the `httpclient_impl} connection attribute. Nevertheless, the driver doesn’t check to see if the class implements the anticipated interface before instantiating it, which may result in remote code execution or code execution loaded via arbitrary classes in unusual circumstances.
This correction obtains a 8.8 CVSS Score.
Further we have a couple on Notes dedicated to SAP NetWeaver AS ABAP security:
The HotNews Note 3448171 – File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform – with a CVSS Score of 9.6.
When a victim accesses a malicious file uploaded by an unauthorized attacker, the attacker can gain total control over the system. More sufficient information for the Note could be found in bonded CVE-2024-33006.
And the Note 3448445 – Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform – with a CVSS Score of 6.5.
An XSS vulnerability arises from SAP NetWeaver Application Server for ABAP and ABAP Platform‘s insufficient encoding of user-controlled inputs. An attacker has the ability to manipulate code that runs in a user’s browser. This can lead to data modification or deletion, including access to or deletion of files, or the theft of session cookies, which an attacker could then use to take control of a user’s session. Thus, this might affect the system’s availability, integrity, and confidentiality.
The next high severity 3431794 Note brings the correction for SAP BusinessObjects Business Intelligence Platform – Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform – with the CVSS Score of 8.1.
An attacker may be able to alter a parameter in the Opendocument URL on the SAP Business Objects Business Intelligence Platform through stored XSS vulnerability, which might have a significant impact on the application’s confidentiality and integrity.
And the last one for the breakdown will be 3441944 Note, interesting to highlight – Missing authorization check in SAP Enable Now Manager – with the CVSS Score of 6.5.
As a result of SAP Enable Now Manager failing to carry out the required authorization checks for an authenticated user, privileges can escalate. The confidentiality of the application will be greatly impacted if the attacker using the role of “Learner” is able to successfully exploit other users’ data in the manager.
That is all for today about the most important May SAP security updates.
Stay safe!
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10.0
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CEC-SCC-PLA-PL | 3455438 | [CVE-2019-17495] Multiple vulnerabilities in SAP CX Commerce | HotNews |
9.8
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| BC-SRV-KPR-CMS | 3448171 | [CVE-2024-33006] File upload vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform | HotNews |
9.6
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| BI-BIP-INV | 3431794 | [CVE-2024-28165] Cross site scripting vulnerability in SAP BusinessObjects Business Intelligence Platform | HotNews |
8.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:N |
| KM-SEN-MGR | 3441944 | [CVE-2024-32730] Missing authorization check in SAP Enable Now Manager | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| BC-SRV-GBT-GOS | 3448445 | [CVE-2024-34687] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application server for ABAP and ABAP Platform | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L |
| BC-MID-AC | 3450286 | [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BC-EIM-ESH | 3460772 | [CVE-2024-33002] Cross-Site Scripting (XSS) Vulnerability in SAP S/4HANA (Document Service Handler for DPS) | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| FI-TV-ODT-MTR | 3447467 | [CVE-2024-32731] Missing Authorization check in SAP My Travel Requests | medium |
5.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L |
| BC-XI-IBD-INF | 2745860 | Information Disclosure in Enterprise Services Repository of SAP Process Integration | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-SYB-REP | 3349468 | [CVE-2024-33008] Memory Corruption vulnerability in SAP Replication Server | medium |
4.9
|
CVSS:/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| FI-FIO-AR-PAY | 3434666 | [Multiple CVEs] Missing Authorization Checks in SAP S/4 HANA (Manage Bank Statement Reprocessing Rules) | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| BI-BIP-INV | 3449093 | [CVE-2024-33004] Insecure Storage vulnerability in SAP BusinessObjects Business Intelligence Platform (Webservices) | medium |
4.3
|
CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L |
| BC-XI-IBC | 2174651 | Potential information disclosure relating to PI Integration Directory | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| EHS-SAF-GLM | 1938764 | [CVE-2024-33009] SQL injection vulnerability in SAP Global Label Management (GLM) | medium |
4.2
|
CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N |
| FIN-FSCM-CLM-BAM | 3392049 | [CVE-2024-33000] Missing Authorization check in SAP Bank Account Management | low |
3.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
| CA-UI5-SC | 3446076 | [CVE-2024-33007] Client-side script execution vulnerability in SAP UI5(PDFViewer) | low |
3.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N |
