Skip to content

Safe Tuesday with SNOK: Key updates from the June SAP Patch Day

June brought us another set of security updates from SAP, covering 12 new and updated security notes. Below we present the most important information…

June brought us another set of security updates from SAP, covering 12 new and updated security notes. Below we present the most important information regarding these updates, which will help protect your SAP environment against the latest threats.

Cross-Site Scripting (XSS)

Three security notes relate to XSS vulnerabilities with varying severity levels (CVSS 6.1 - 8.1). These issues affect, among others, SAP Financial Consolidation and the WebClient UI in SAP CRM. Each of these vulnerabilities allows an attacker to inject malicious code, which can lead to compromise of the user’s interaction with the web application.

Denial-of-Service (DoS)

Two notes concern DoS-type vulnerabilities that could paralyse system operation by overloading it. These notes relate to SAP AS Java and SAP NetWeaver and the ABAP platform, where a lack of adequate authorisation checks could allow an attack to be carried out.

Unauthorised file upload

One of the notes describes a vulnerability in SAP Document Builder that allows unauthorised file uploads. To secure the system, it is necessary to install the patch or configure appropriate antivirus profiles for specific MIME types.

Authorisation checks

Four notes concern missing authorisation checks across various SAP modules, such as S/4HANA, BW/4HANA, and SAP Student Life Cycle Management. These vulnerabilities could allow unauthorised access to data and system functions.

Information disclosure

Two notes concern the disclosure of sensitive information. These relate to SAP NetWeaver AS Java and the SAP BusinessObjects Business Intelligence Platform, where unauthorised access to data could lead to serious security breaches.

SNOK recommendations

We encourage the immediate application of available patches to minimise the risk of attacks. Security updates are a key element in protecting your SAP environment against new threats. It is also worth regularly monitoring the security status of your SAP systems and using patch management tools that provide a full overview and analysis of potential threats.

In the context of regular monitoring, we recommend using advanced solutions for continuous oversight and auditing of systems. Regular scanning and configuration assessment can detect potential vulnerabilities before they are exploited by cybercriminals.

Furthermore, do not forget about employee education - staff awareness of IT security is invaluable. Conducting regular training and phishing attack simulations can significantly reduce the risk of successful social engineering attacks.

Additionally, it is worth considering the implementation of detection and response mechanisms (EDR), which allow for rapid response to identified threats. Combined with backup policies that enable quick data recovery in the event of a failure, this creates a comprehensive security strategy.

At SNOK we are ready to support our clients in implementing best practices and solutions in the field of SAP security. Our experience and advanced tools allow for effective risk management and ensuring the business continuity of your organisation.

Conclusion

The June SAP Security Patch Day updates are a key element of an IT security management strategy. Regularly updating systems and carefully analysing new security notes helps prevent potential attacks and protect organisational data. At SNOK we are ready to support our clients in implementing best practices and solutions in the field of SAP security.

Remember that cybersecurity is a continuous process. Stay up to date with the latest threats and respond quickly to emerging vulnerabilities. Together we can build a safer IT environment for your organisation.

If you have questions about the latest updates or need support in managing SAP security, get in touch with us. We are here to help!

Note# Title Severity CVSS

3457592 [CVE-2024-37177] Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation Product - SAP Financial Consolidation, Version - FINANCE 1010 High 8.1

3460407 [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) Product - SAP NetWeaver AS Java, Version - MMR_SERVER 7.5 High 7.5

3453170 [CVE-2024-33001] Denial of service (DOS) in SAP NetWeaver and ABAP platform Product- SAP NetWeaver and ABAP platform, Versions - ST-PI 2008_1_700, 2008_1_710, 740 Medium 6.5

3459379 [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) Product- SAP Document Builder, Versions - S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748 Medium 6.5

3466175 [CVE-2024-34691] Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files) Product- SAP S/4HANA (Manage Incoming Payment Files), Versions - S4CORE 102, 103, 104, 105, 106, 107, 108 Medium 6.5

3465129 [CVE-2024-34686] Cross-Site Scripting (XSS) vulnerability in SAP CRM (WebClient UI) Product- SAP CRM WebClient UI, Versions - S4FND 102, 103, 104, 105, 106, 107, WEBCUIF 700, 701, 730, 731, 746, 747, 748, 800, 801 Medium 6.1

3450286 Update to Security Note released on May 2024 Patch Day: [CVE-2024-32733] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Product- SAP NetWeaver Application Server ABAP and ABAP Platform, Versions - SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 795, SAP_BASIS 796 Medium 6.1

3465455 [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP Product - SAP BW/4HANA Transformation and Data Transfer Process, Versions - DW4CORE 200, 300, 400, 796, SAP_BW 740, 750, 751, 752, 753, 754, 755, 756, 757, 758 Medium 5.5

3457265 [CVE-2024-34690]Missing Authorization check in SAP Student Life Cycle Management (SLcM) Product- SAP Student Life Cycle Management, Versions - IS-PS-CA 617, 618, 802, 803, 804, 805, 806, 807, 808 Medium 5.4

3425571 [CVE-2024-28164] Information Disclosure vulnerability in SAP NetWeaver AS Java (Guided Procedures) Product - SAP NetWeaver AS Java, Version - GP-CORE 7.5

Medium 5.3

2638217 Update to Security Note released on June 2018 Patch Day: Switchable Authorization Checks in Central Finance Infrastructure Components Product - Central Finance Infrastructure Components, Versions - SAP_FIN 720, 730, SAPSCORE 114, S4CORE 100, 101, 102 Low 3.9

3441817 [CVE-2024-34684] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Scheduling) Product - SAP BusinessObjects Business Intelligence Platform, Versions - ENTERPRISE 420, 430, 440 Low 3.7

Tematy: Safe Tuesday SAP security SAP S/4HANA

Get in touch