On the 12th of November 2024, SAP Security Patch Day saw the release of 8 new Security Notes.
There were 2 updates to previously released Security Notes.
Notes by severity
| HotNews | 0 |
| Correction with high priority | 2 |
| Correction with medium priority | 6 |
| Correction with low priority | 2 |
Highlights
On November Patch Day SAP presents 2 high-severity Notes, with none of them rated as HotNews.
November SAP Security Patch dey brought us a couple new corrections in comparison to the usual Note number. However, there are a couple ones we feel obliged to bring to your attention.
For the start, the Note 3520281 for SAP Web Dispatcher came with the correction of high priority – Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher – with a CVSS Score 8.8.
A malicious link can be created by an unauthenticated attacker and made publicly accessible. When an authenticated victim clicks on this malicious link, the website page generation uses the input data to create content that, when run in the victim’s browser (XXS) or sent to another server (SSRF), allows the attacker to run arbitrary code on the server, completely jeopardizing availability, confidentiality, and integrity.
The next high severity Note to describe will be 3483344 Note Update – Missing Authorization check in SAP PDCE – with a CVSS Score of 7.7.
When PDCE components fail to carry out the required authorization checks for a verified user, privileges are escalated.
This note has been re-released with updated ‘Correction Instruction’ information.
There are more medium severity notes followed for you to take a look:
Firstly, Note 3335394 – Missing Authorization check in SAP NetWeaver AS Java (System Landscape Directory) – with a CVSS Score of 6.5.
An unauthorized user can access and change certain restricted global SLD configurations because SAP NetWeaver AS Java (System Landscape Directory) lacks an authorization check, which has no effect on the application’s confidentiality and integrity.
SAP NetWeaver AS Java receives additional 3393899 Note to apply – Information Disclosure Vulnerability in SAP NetWeaver Application Server Java (Logon Application) – with a CVSS Score of 5.3.
NetWeaver AS for SAP Java makes it possible for an unauthenticated attacker to find the valid user IDs by brute forcing the login process. This affects secrecy but not availability or integrity.
Another Note is 3509619 – Local Privilege Escalation in SAP Host Agent – with a CVSS Score of 6.3.
Local files typically protected by privileged access could be replaced by an attacker who obtains local membership in the sapsys group. If the attack is successful, the attacker may seriously compromise the application’s integrity and confidentiality.
We will be right here to provide you with most notably Security Notes for the upcoming winter.
Stay safe!
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-CST-WDP | 3520281 | [CVE-2024-47590] Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher | high |
8.8
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H |
| FIN-BA | 3483344 | [CVE-2024-39592] Missing Authorization check in SAP PDCE | high |
7.7
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N |
| BC-CCM-SLD | 3335394 | [CVE-2024-42372] Missing Authorization check in SAP NetWeaver AS Java (System Landscape Directory) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N |
| BC-CCM-HAG | 3509619 | [CVE-2024-47595] Local Privilege Escalation in SAP Host Agent | medium |
6.3
|
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:N |
| BC-JAS-SEC | 3393899 | [CVE-2024-47592] Information Disclosure Vulnerability in SAP NetWeaver Application Server Java (Logon Application) | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-ABA-LA | 3504390 | [CVE-2024-47586] NULL Pointer Dereference vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | medium |
5.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| BC-UPG-TLS-TLJ | 3522953 | [CVE-2024-47588] Information Disclosure vulnerability in SAP NetWeaver Java (Software Update Manager) | medium |
4.7
|
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:N/A:N |
| BC-FES-WGU | 3508947 | [CVE-2024-47593] Information Disclosure Vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
| FIN-FSCM-CLM-COP | 3498470 | [CVE-2024-47587] Missing authorization check in SAP Cash Management (Cash Operations) | low |
3.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
| FIN-FSCM-CLM-BAM | 3392049 | [CVE-2024-33000] Missing Authorization check in SAP Bank Account Management | low |
3.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:L/I:N/A:N |
