On the 10th of September 2024, SAP Security Patch Day saw the release of 16 new Security Notes.
There were 3 updates to previously released Security Notes.
Notes by severity
| HotNews | 1 |
| Correction with high priority | 1 |
| Correction with medium priority | 14 |
| Correction with low priority | 3 |
Highlights
On September Patch Day SAP presents 2 high-severity Notes, with none of them rated as HotNews.
In fact, September Patch Day is the most interesting for maintaining security of SAP Business Objects due to HotNews critical note. But in our digest for today we will cover medium severity Notes as well.
Starting the digest from mentioned high-severity Note 3479478 re-release – Missing Authentication check in SAP BusinessObjects Business Intelligence Platform – with a CVSS Score of 9.8.
If Enterprise authentication is set for Single Signed On in SAP BusinessObjects Business Intelligence Platform, an unauthorized user can obtain a logon token via a REST endpoint. The system can be completely compromised by the attacker, which would have a high impact on availability, confidentiality, and integrity.
This note has been re-released with updated ‘validity’ and additional ‘Workaround’ information in the ‘Solution’ section.
The next high-severity note to describe is 3459935 – Information Disclosure Vulnerability in SAP Commerce Cloud – with a CVSS Score of 7.4.
Passwords, email addresses, phone numbers, coupon codes, and voucher codes are examples of Personally Identifiable Information (PII) that can be supplied in the request URL as query or path parameters for some OCC API endpoints in SAP Commerce Cloud. This could have a high impact on the application’s integrity and secrecy if it is successfully exploited.
This note also has been re-released with updated ‘Solution’ information. Current SAP Commerce Cloud Update Release 2211.28 is latest and will contain all fixes.
Next will come the description of several medium-severity Notes for multiple SAP products and application servers.
The third re-released Note 3495876 in order covers multiple vulnerabilities – Multiple vulnerabilities in SAP Replication Server (FOSS) – with a decent CVSS Score of 6.5.
OpenSSL and Spring Framework, two Free Open Source Software (FOSS) libraries that SAP Replication Server supplied, have been found to have numerous vulnerabilities (CVE-2023-0215, CVE-2022-0778, and CVE-2023-0286). Since SAP Replication Server does not use the FOSS’s susceptible capabilities, it is unaffected by the vulnerabilities. Nevertheless, the installation environment could become susceptible due to these weak FOSS.
The Note 3488341 – Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface) – with CVSS Score of 6.5 – can cause a substantial impact on system integrity and availability.
A function module in the antiquated Tobin interface in SAP Production and Revenue Accounting permits unauthorized access that could result in the revelation of extremely sensitive data since there are insufficient authorization checks performed when calling users.
The last Note to highlight will be the S/4HANA security Patch Note 3497347 – Cross-Site Scripting (XSS) in eProcurement on S/4HANA – with a CVSS Score of 6.1.
eProcurement on SAP S/4HANA permits malicious scripts to be executed in the application due to inadequate encoding of user-controlled inputs, which may result in a Reflected Cross-Site Scripting (XSS) vulnerability. The application’s availability is unaffected by this, although its integrity and secrecy may be slightly impacted.
We will stay in touch to inform you on the latest and most significant security that SAP will feature this fall.
Stay safe!
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BI-BIP-INV | 3479478 | [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform | HotNews |
9.8
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CEC-COM-CPS-COR | 3459935 | [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud | high |
7.4
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N |
| BC-SYB-REP | 3495876 | [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:H |
| IS-OIL-PRA-REV-OW | 3488341 | [CVE-2024-45286] Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| MM-PUR-SSP | 3497347 | [CVE-2024-42378] Cross-Site Scripting (XSS) in eProcurement on S/4HANA | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CA-GTF-PCF | 3501359 | [CVE-2024-45279] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP(CRM Blueprint Application Builder Panel) | medium |
6.1
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| CEC-SCC-PLA-PL | 3430336 | [CVE-2013-3587] Information Disclosure vulnerability in SAP Commerce Cloud | medium |
5.9
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N |
| BI-RA-WBI-BE | 3425287 | [CVE-2024-45281] DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform | medium |
5.8
|
CVSS:/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:N |
| BC-DWB-SEM | 3488039 | [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:L |
| BC-JAS-SEC-LGN | 3505503 | [CVE-2024-45280] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application) | medium |
4.8
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N |
| BC-PIN-PCD | 3498221 | [CVE-2024-44120] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal | medium |
4.7
|
CVSS:/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BW-BEX-ET-WB-7X | 3481992 | [CVE-2024-44113] Information Disclosure vulnerability in the SAP Business Warehouse (BEx Analyzer) | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| BW-BEX-ET-WB-7X | 3481588 | [CVE-2024-41729] Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer) | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| FI-LOC-SRF-RUN | 3437585 | [CVE-2024-44121] Information Disclosure in SAP S/4 HANA (Statutory Reports) | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| IS-OIL-DS-TD | 3505293 | [CVE-2024-44112] Missing Authorization check in SAP for Oil & Gas (Transportation and Distribution) | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
| IS-HER-CM | 2256627 | [CVE-2024-45284] Missing authorization check in SAP Student Life Cycle Management (SLcM) | low |
2.7
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:L/A:N |
| BC-DWB-TOO-ABA | 3496410 | [CVE-2024-41728] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform | low |
2.7
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
| BC-ABA-LA | 3507252 | [CVE-2024-44114] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform | low |
2.0
|
CVSS:3.0/AV:N/AC:H/PR:H/UI:R/S:U/C:L/I:N/A:N |
