The July SAP Security Patch Day brought further significant security updates aimed at protecting SAP systems against new threats and vulnerabilities. This month SAP published a series of security notes covering various products and modules. Below we present the most important of them.
Key security notes
-
CVE-2024-39592: Missing authorisation check in SAP PDCE. The CVSS rating is 7.7, and the issue affects the FIN-BA module. This update is key to preventing unauthorised access to data.
-
CVE-2024-39597: Improper authorisation checks on early login to SAP Commerce. The CVSS rating is 7.2. It affects both the public cloud and on-premise versions of SAP Commerce. It is important to apply the appropriate remediation steps depending on the version.
-
CVE-2024-34683: Unrestricted file upload in SAP Document Builder. This vulnerability, rated 6.5, is key to protecting against potential injection of malicious code by users.
-
CVE-2024-34685: Cross-site scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor. The CVSS rating is 6.1. The update is necessary to prevent XSS attacks.
-
CVE-2024-37180: Information disclosure in SAP NetWeaver Application Server for ABAP and the ABAP Platform. The CVSS rating is 4.1. This update helps protect confidential information against unauthorised access.
SNOK recommendations
In line with our best practices, we recommend the following actions to secure your SAP systems:
-
Regular security audits: We recommend regularly conducting security audits of SAP systems to detect and eliminate potential weaknesses at an early stage.
-
Rapid implementation of updates: Urgent deployment of all the security updates listed above is key to protection against threats. Make sure your IT team stays up to date with the latest security notes and implements them promptly.
-
Training for IT teams: Regular training sessions and webinars for IT teams will help them better understand new threats and neutralise them effectively. SNOK offers specialist training tailored to your organisation’s individual needs.
-
Implementation of monitoring tools: Using advanced tools for monitoring and managing security, such as SAP Solution Manager, can significantly improve the security of your SAP infrastructure.
-
Ongoing cooperation with experts: Working with experienced security consultants, such as SNOK’s experts, provides access to the latest solutions and best practices in SAP security.
Summary
The July SAP Security Patch Day brings key updates that are essential to protecting SAP systems against new vulnerabilities. Regular application of these updates, together with close cooperation with your IT team, can significantly increase the security and stability of SAP systems in your organisation. We encourage you to contact the SNOK team for help implementing these updates and further steps in SAP security.
Note Description Severity CVSS
3483344 [CVE-2024-39592] Missing Authorization check in SAP PDCE Priority: Correction with high priority Released on: 09.07.2024 Components: FIN-BA Category: Program error High 7.7
3490515 [CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce Priority: Correction with high priority Released on: 09.07.2024 Components: CEC-SCC-COM-BC-CS Category: Program error High 7.2
3466801 [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-VCM-LVM Category: Program error Medium 6.9
3459379 [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) Priority: Correction with medium priority Released on: 11.06.2024 Components: CA-GTF-DOB Category: Program error Medium 6.5
3468681 [CVE-2024-34685] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor Priority: Correction with medium priority Released on: 09.07.2024 Components: EP-PIN-WPC-WCM Category: Program error Medium 6.1
3482217 [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation Priority: Correction with medium priority Released on: 09.07.2024 Components: BW-PLA-BPS Category: Program error Medium 6.1
3467377 [Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI) Priority: Correction with medium priority Released on: 09.07.2024 Components: CA-WUI-UI Category: Program error Medium 6.1
3457354 [CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management) Priority: Correction with medium priority Released on: 09.07.2024 Components: FIN-FSCM-PF-IHB Category: Program error Medium 5.4
3483993 [CVE-2024-34689] Prerequisite for Security Note 3458789 Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-BMT-WFM Category: Program error Medium 5.0
3485805 [CVE-2024-34689] Allowlisting of callback-URLs in SAP Business Workflow (WebFlow Services) Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-BMT-WFM Category: Upgrade information Medium 5.0
3469958 [CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal) Priority: Correction with medium priority Released on: 09.07.2024 Components: TM-CP Category: Program error Medium 5.0
3461110 [CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for Windows Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-FES-GUI Category: Program error Medium 5.0
3458789 [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-BMT-WFM Category: Program error Medium 5.0
3456952 [CVE-2024-39599] Protection Mechanism Failure in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-MID-ICF Category: Program error Medium 4.7
3476348 [CVE-2024-39596] Missing Authorization check vulnerability in SAP Enable Now Priority: Correction with medium priority Released on: 09.07.2024 Components: KM-SEN-MGR Category: Upgrade information Medium 4.3
3101986 Prepare CSP support for On-Premise down port for code dependency in SAP CRM WebClient UI Priority: Correction with medium priority Released on: 12.04.2022 Components: CA-WUI-UI Category: Program error Medium 4.1
3454858 [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Priority: Correction with medium priority Released on: 09.07.2024 Components: BC-SRV-DX-DXW Category: Program error Medium 4.1
3476340 [CVE-2024-34692] Unrestricted File upload vulnerability in SAP Enable Now Priority: Correction with low priority Released on: 09.07.2024 Components: KM-SEN-MGR Category: Upgrade information Low 3.3