SAP Security Patch Day in August 2024 has brought to light several critical updates and vulnerabilities, underscoring the importance of regular security maintenance in safeguarding enterprise software.
In the August 2024 release, SAP issued a total of 25 new and updated security notes. Among these, two were classified as HotNews Notes, indicating severe vulnerabilities requiring immediate attention, and four were tagged as High Priority Notes. These updates are vital for addressing weaknesses that could otherwise compromise the confidentiality, integrity, and availability of SAP systems.
One of the most notable vulnerabilities addressed in this patch is related to Node.js, which affects applications built with SAP Build Apps. Due to the exposure to CVE-2024-29415, SAP has recommended that all affected applications be rebuilt using SAP Build Apps version 4.11.130 or later. Failure to apply this update could leave applications vulnerable to serious security breaches.
August 2024 Security Notes in Detail
The August SAP Security Patch Day highlighted several significant vulnerabilities, including:
- SAP Security Note #3423268: This note, with a CVSS score of 7.8, addresses a vulnerability in SAP S/4HANA’s Manage Supply Protection feature, which uses the SheetJS library. The vulnerable versions of this library could expose the application to risks affecting its confidentiality, integrity, and availability. The update includes a patch to the latest version of SheetJS, which mitigates these risks.
- SAP Security Note #3460407: This High Priority note, with a CVSS score of 7.5, focuses on an information disclosure vulnerability in SAP NetWeaver AS Java’s Meta Model Repository. Initially released in June 2024, this note was updated to cover additional support package levels. The patch provided addresses the vulnerability by updating the MMR_SERVER component.
- SAP Security Note #3479478: This HotNews Note, rated with a CVSS score of 9.8, is particularly critical. It addresses a Denial of Service (DoS) vulnerability in SAP BusinessObjects Business Intelligence Platform. The flaw could allow unauthorized users to exploit a REST endpoint, fully compromising the system’s confidentiality, integrity, and availability.
- SAP Security Note #3477196: Another high-risk vulnerability was found in applications built with SAP Build Apps using a vulnerable Node.js library. With a CVSS score of 9.1, this note emphasizes the need for rebuilding applications to ensure security. The impact of not addressing this vulnerability could be severe, affecting both confidentiality and integrity.
Focus on SAP Security Patch Day
SAP Security Patch Day is an essential part of SAP’s ongoing commitment to maintaining the security of its software solutions. By regularly issuing security notes, SAP provides organizations with the necessary tools to protect their systems from potential threats. The August 2024 updates serve as a reminder of the critical role that timely patching plays in the overall security strategy of any organization using SAP software.
Onapsis Research Labs played a pivotal role in the August 2024 SAP Security Patch Day by assisting in the identification and remediation of several vulnerabilities. Their contributions include:
- SAP Security Note #3485284: This High Priority note, with a CVSS score of 8.2, addresses a vulnerability in SAP BEx Web Java Runtime Export Web Service. The vulnerability could allow an attacker to exhaust XMLForm services, rendering the SAP ADS system unavailable.
- SAP Security Note #3459935: This note, rated with a CVSS score of 7.4, patches vulnerable OCC API endpoints in SAP Commerce Cloud. The vulnerability allowed Personally Identifiable Information (PII) to be exposed in request URLs, creating a risk of data leakage.
- Other Contributions: Onapsis Research Labs also contributed to the patching of several other vulnerabilities, including issues in SAP Shared Service Framework, SAP CRM ABAP, SAP NetWeaver Application Server ABAP, and SAP Student Lifecycle Management.
The August 2024 SAP Security Patch Day has further reinforced the importance of keeping SAP systems up to date with the latest security patches. With 25 new and updated security notes, including critical updates for widely-used SAP solutions, organizations must prioritize these patches to maintain the security and integrity of their systems. Regular participation in SAP Security Patch Day also ensures that vulnerabilities are addressed promptly, reducing the risk of exploitation by malicious actors.