Skip to content

Safe Tuesday with SNOK: Key updates from the April SAP Security Patch Day

On 9 April, another SAP Security Patch Day took place, bringing to light 10 new security notes and 2 updates to previously released notes. This month we…

On 9 April, another SAP Security Patch Day took place, bringing to light 10 new security notes and 2 updates to previously released notes. This month we focus on the details of these updates, which are of key importance for protecting SAP systems in your organisation.

Key updates

High severity

  • [CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine (CVSS: 8.8) - affects SAP NetWeaver AS Java User Management Engine in versions SERVERCORE 7.50, J2EE-APPS 7.50, UMEADMIN 7.50. This vulnerability could allow unauthorised access to sensitive data.

  • [CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence (CVSS: 7.7) - affects versions 4.2 and 4.3. It allows unauthorised individuals to access protected information.

  • [CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting (CVSS: 7.2) - affects multiple SAP_APPL and SAP_FIN versions. Attackers could exploit this vulnerability to gain access to system files outside the expected directory.

Medium severity

  • Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL) (CVSS: 6.8) - affects versions older than 8.13.5. Could lead to denial of service (DoS) through stack overload.

  • [CVE-2024-30218] Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform (CVSS: 6.5) - affects a wide range of KERNEL versions. Allows attackers to disrupt normal system operation.

Why does this matter?

Regular security updates are essential to protect against potential attacks and data breaches. Understanding and responding quickly to new vulnerabilities is key to maintaining the stability and security of IT environments.

How can SNOK help?

At SNOK we offer support in responding quickly to new security vulnerabilities, thanks to our services in SAP BASIS, SAP analysis, and SAP cybersecurity. Our technical knowledge and experience enable us to provide comprehensive support in patching security vulnerabilities, ensuring peace of mind for our clients.

Summary

The April SAP Security Patch Day brought significant updates that require immediate attention. Thanks to our commitment to ensuring the highest level of protection, we help our clients maintain secure and stable SAP systems. Cybersecurity is a continuous process, requiring regular updates and vigilance.

If you need support in connection with the latest SAP security updates, get in touch with us. Together we will ensure your SAP environment remains secure and reliable.

Note# Title Severity CVSS

3434839 [CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine Product - SAP NetWeaver AS Java User Management Engine, Versions - SERVERCORE 7.50, J2EE-APPS 7.50, UMEADMIN 7.50 High 8.8

3421384 [CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence Product - SAP BusinessObjects Web Intelligence, Versions - 4.2, 4.3 High 7.7

3438234 [CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting Product- SAP Asset Accounting, Versions - SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_FIN617, SAP_FIN 618, SAP_FIN700 High 7.2

3442741 Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL) Product - SAP Edge Integration Cell, Versions older than 8.13.5 Medium 6.8

3359778 [CVE-2024-30218] Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - KRNL64NUC 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.93 Medium 6.5

3442378 [CVE-2024-28167] Missing Authorization check in SAP Group Reporting Data Collection (Enter Package Data) Product - SAP Group Reporting Data Collection (Enter Package Data), Versions - S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, SAP_GRDC_CLOUD 1.0.0 Medium 6.5

3164677 Update to Security Note released on May 2022 Patch Day: [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) Product - SAP Employee Self Service (Fiori My Leave Request), Version - 605 Medium 6.5

3156972 Update to Security Note released on August 2023 Patch Day: [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search) Product - SAP S/4HANA (Manage Catalog Items and Cross-Catalog search), Versions - S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106 Medium 6.1

3425188 [CVE-2024-27898] Server-Side Request Forgery in SAP NetWeaver (tcesiespgrmgwshealthcheck~ear) Product - SAP NetWeaver, Version - 7.50 Medium 5.3

3421453 [Multiple CVEs] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Connector CVEs - CVE-2024-30214, CVE-2024-30215 Product - SAP Business Connector, Version - 4.8 Medium 4.8

3427178 [CVE-2024-30216] Missing Authorization check in SAP S/4 HANA (Cash Management) Product - SAP S/4 HANA (Cash Management), Versions - S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108 Medium 4.3

3430173 [CVE-2024-30217] Missing Authorization check in SAP S/4 HANA (Cash Management) Product - SAP S/4 HANA (Cash Management), Versions - S4CORE 106, S4CORE 107, S4CORE 108 Medium 4.3

Tematy: Safe Tuesday SAP security SAP S/4HANA

Get in touch