SAP security patches have been released for July 2024, bringing essential updates and fixes to various SAP solutions.
In July, SAP released eighteen new and updated security patches, including two high-priority notes. Thomas Fritsch, Manager of Content and Technical Research at Onapsis, emphasizes the importance of addressing these vulnerabilities promptly to ensure system security and integrity.
The most critical update this month is SAP Security Note #3483344, which addresses a Missing Authorization Check vulnerability in SAP Product Design Cost Estimating (SAP PDCE), part of the SAP Strategic Enterprise Management (SEM). This vulnerability, with a CVSS score of 7.7, allows a remote attacker to read generic table data, posing a significant risk to system confidentiality. The patch disables the vulnerable function module to mitigate this risk.
Another significant patch is SAP Security Note #3490515, which fixes an Improper Authorization Check vulnerability in SAP Commerce (both On-Premise and Public Cloud). This issue, with a CVSS score of 7.2, can be exploited through the forgotten password functionality, potentially allowing unauthorized access to early login and registration sites. To mitigate this risk, SAP recommends disabling registration for affected isolated Composable Storefront B2B sites and all non-isolated Composable Storefront B2B sites if Early Login is enabled.
Onapsis Research Labs (ORL) played a crucial role in addressing twelve vulnerabilities across ten SAP Security Notes. Notable contributions include the detection of several Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse (SAP BW), SAP NetWeaver Knowledge Management, and SAP CRM (WebClient UI).
SAP Security Note #3482217 addresses a Reflected XSS vulnerability (CVSS score 6.1) and a Stored XSS vulnerability (CVSS score 5.4) in SAP BW Business Planning and Simulation. Both vulnerabilities have a low impact on confidentiality and integrity, with no effect on availability.
Meanwhile, SAP Security Note #3468681 targets the XMLEditor in SAP NetWeaver Knowledge Management, addressing a CVSS score 6.1 XSS vulnerability caused by insufficient encoding of user-controlled input. This patch prevents the execution of malicious scripts within the application.
On the other hand, SAP Security Note #3467377 is a comprehensive note for SAP CRM (WebClient UI), patching four vulnerabilities, including two Reflected XSS vulnerabilities (CVSS score 6.1), a Server-Side Request Forgery (SSRF) vulnerability (CVSS score 5.0), and a Missing Authorization Check vulnerability (CVSS score 4.3).
Additional SAP Security Patches for July 2024
A Server-Side Request Forgery (SSRF) vulnerability in SAP Business Workflow (WebFlow Services) was also detected by ORL. This vulnerability, with a CVSS score of 5.0, allows authenticated attackers to enumerate accessible HTTP endpoints in the internal network by crafting specific HTTP requests. The patch includes three SAP Security Notes that must be applied in sequence to implement an allowlist for Callback-URLs, ensuring only explicitly allowed URLs are processed.
Similarly, an SSRF vulnerability in SAP Transportation Management (Collaboration Portal) is addressed by SAP Security Note #3469958 (CVSS score 5.0). The patch hardens the responsible service handler to reject untrusted input, preventing crafted requests from triggering unintended service interactions.
SAP Security Note #3456952 addresses a Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform, tagged with a CVSS score of 4.7. This issue allows attackers to bypass virus scanning, potentially introducing viruses into the SAP landscape. The patch ensures the malware scanner API operates correctly to prevent such bypasses.
Lastly, SAP Security Note #3454858 addresses an Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform, with a CVSS score of 4.1. The patch restricts access to directories, ensuring only those defined in transaction FILE can be accessed.
July 2024’s SAP Patch Day underscores the critical nature of timely security updates. With eighteen new and updated security patches, including two high-priority notes, SAP also continues to fortify its solutions against emerging threats. The contributions of Onapsis Research Labs highlight the collaborative efforts necessary to maintain robust security in SAP environments.