fbpx

SAP Patch Day: Securing Your Systems in April 2024

SAP-Patch.jpg

SAP Patch Day is a crucial event for organizations running SAP systems, as it brings essential security updates and fixes to protect against potential vulnerabilities. In April 2024, SAP released twelve new and updated Security Notes, including three High Priority Notes that address critical security issues. Let’s dive into the details of these updates and understand their significance in securing your SAP environment.

SAP Security Patch Days occur on the second Tuesday of every month, providing a regular cadence for addressing security vulnerabilities in SAP software. These patches are the result of collaboration between SAP’s security team and external researchers who identify and report potential security gaps. By promptly applying these patches, organizations can mitigate the risk of exploitation and ensure the integrity and confidentiality of their SAP systems.

High Priority Notes: Addressing Critical Vulnerabilities

Among the 12 Security Notes released in April 2024, three were classified as High Priority, indicating their critical nature and potential impact on SAP systems.

  1. Security Misconfiguration in SAP NetWeaver AS Java User Management Engine (UME) SAP Security Note #3434839, with a CVSS score of 8.8, addresses a security misconfiguration vulnerability in the SAP NetWeaver AS Java User Management Engine (UME). The issue lies in the ‘Self-Registration’ and ‘Modify your own profile’ features, which allow the use of simple, easily crackable passwords when enabled. Although these features are optional and disabled by default, Onapsis recommends implementing the patch regardless of their current configuration status. Failing to do so can lead to a high impact on system confidentiality and a low impact on integrity and availability.
  2. Information Disclosure in SAP BusinessObjects Web Intelligence SAP Security Note #3421384, with a CVSS score of 7.7, tackles an information disclosure vulnerability in SAP BusinessObjects Web Intelligence. The Excel Data Access Service lacks sufficient validation checks when uploading Excel files, potentially allowing malicious data to be read. Exploiting this vulnerability can have a high impact on system confidentiality.
  3. Directory Traversal in SAP Asset Accounting SAP Security Note #3438234, with a CVSS score of 7.2, resolves a directory traversal vulnerability in two programs of SAP Asset Accounting. While the patch disables the vulnerable program RAALTE00, it adds verification of path information against logical file names in the RAALTD01 report.

Onapsis Research Labs’ Contribution to April 2024 SAP Patch Day

The Onapsis Research Labs (ORL) played a vital role in collaborating with SAP to patch a Server-Side Request Forgery vulnerability in the tcesiespgrmgwshealthcheck~ear application of an SAP NetWeaver AS Java. Described in SAP Security Note #3425188 and assigned a CVSS score of 5.3, the vulnerability stems from insufficient input validation. This allows unauthenticated attackers to send crafted requests from a vulnerable web application, targeting internal systems behind firewalls that are typically inaccessible from the external network. The patch addresses this vulnerability, mitigating the low impact on application confidentiality.

Although the April 2024 SAP Patch Day had a relatively smaller number of Security Notes compared to previous months, it is crucial not to underestimate the importance of implementing these patches promptly. Organizations should also take advantage of this opportunity to review and apply any pending Security Notes from previous Patch Days to ensure a robust security posture.

Thomas Fritsch, Manager of Content and Technical Research at Onapsis, further emphasizes the significance of staying up to date with SAP security patches. By prioritizing patch implementation and regularly monitoring for new Security Notes, organizations can proactively protect their SAP systems against evolving threats.

Safeguarding Critical Business Data and Processes

SAP Patch Day in April 2024 serves as a reminder of the ongoing need for vigilance in securing SAP systems. By promptly implementing the released Security Notes, particularly the High Priority ones, organizations can mitigate the risk of exploitation and maintain the confidentiality, integrity, and availability of their SAP environments.

In an ever-evolving threat landscape, staying current with SAP security patches is not just a best practice but a necessity for safeguarding critical business data and processes. By treating SAP Patch Day as a top priority and allocating the necessary resources to implement the released Security Notes, organizations can ensure the ongoing security and stability of their SAP systems.

Share this post

submit to reddit
scroll to top