SNOK, as a leading SAP consulting company, reports on the latest security updates for SAP systems. The monthly SAP Security Patch Day, which took place on 10 September 2024, brought significant changes that all SAP users should be aware of.
SAP published 16 new Security Notes and updated 3 previously released notes. These fixes address various security vulnerabilities across multiple SAP products and should be applied promptly to maintain the security of the SAP environment.
Key information
-
Hot News: This month’s most important update concerns SAP BusinessObjects Business Intelligence Platform (Note #3479478). With a CVSS score of 9.8, this fix addresses a missing authentication check and is classified as Hot News. Users of this platform should pay immediate attention to it.
-
High: An information disclosure vulnerability in SAP Commerce Cloud (Note #3459935) received a high-priority rating with a CVSS score of 7.4.
-
Medium: Most of the fixes released this month fall into the medium priority category, with CVSS scores ranging from 4.3 to 6.5. These address various issues, including:
-
Cross-Site Scripting (XSS) vulnerabilities
-
Missing authorisation checks
-
Information disclosure vulnerabilities
-
A DLL hijacking vulnerability
-
Affected products: The SAP products affected by these updates are:
-
SAP BusinessObjects Business Intelligence Platform
-
SAP Commerce Cloud
-
SAP S/4HANA
-
SAP NetWeaver Application Server for ABAP and ABAP Platform
-
SAP Business Warehouse (BW)
-
SAP for Oil & Gas
-
SAP Replication Server
-
SAP Production and Revenue Accounting (Tobin interface)
-
SAP NetWeaver Enterprise Portal
-
SAP NetWeaver Application Server for Java
-
SAP Student Life Cycle Management (SLcM)
-
SAP NetWeaver AS Java (Logon Application)
Note# Title Priority CVSS
3479478 Update to Security Note released on August 2024 Patch Day: [CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform Product - SAP BusinessObjects Business Intelligence Platform, Versions - ENTERPRISE 430, 440 Hot News 9.8
3459935 Update to Security Note released on August 2024 Patch Day: [CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud Product - SAP Commerce Cloud, Versions - HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211 High 7.4
3495876 Update to Security Note released on August 2024 Patch Day: [Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) CVEs - CVE-2023-0215, CVE-2022-0778 , CVE-2023-0286 Product - SAP Replication Server, Versions - 16.0.3, 16.0.4 Medium 6.5
3488341 [CVE-2024-45286] Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface) Product - SAP Production and Revenue Accounting (Tobin interface), Versions - S4CEXT 106, S4CEXT 107, S4CEXT 108, IS-PRA 605, IS-PRA 606, IS-PRA 616, IS-PRA 617, IS-PRA 618, IS-PRA 800, IS-PRA 801, IS-PRA 802, IS-PRA 803, IS-PRA 804, IS-PRA 805 Medium 6.5
3497347 [CVE-2024-42378] Cross-Site Scripting (XSS) in eProcurement on S/4HANA Product - SAP S/4HANA eProcurement, Versions - SAP_APPL 606, SAP_APPL 617, SAP_APPL 618, S4CORE 102, S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108 Medium 6.1
3501359 [CVE-2024-45279] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server for ABAP(CRM Blueprint Application Builder Panel) Product - SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel), Versions - 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I Medium 6.1
3477359 [CVE-2024-45283] Information disclosure vulnerability in SAP NetWeaver AS for Java (Destination Service) Product - SAP NetWeaver AS for Java (Destination Service), Versions - 7.50 Medium 6.0
3430336 [CVE-2013-3587] Information Disclosure vulnerability in SAP Commerce Cloud Product - SAP Commerce Cloud, Version - COM_CLOUD 2211 Medium 5.9
3425287 [CVE-2024-45281] DLL hijacking vulnerability in SAP BusinessObjects Business Intelligence Platform Product - SAP BusinessObjects Business Intelligence Platform, Version - 430 Medium 5.8
3488039 [Multiple CVEs] Multiple vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP Platform CVEs - CVE-2024-42371, CVE-2024-44117, CVE-2024-45285, CVE-2024-42380, CVE-2024-44115, CVE-2024-44116 Product - SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912 Medium 5.4
3505503 [CVE-2024-45280] Cross-Site Scripting (XSS) Vulnerability in SAP NetWeaver AS Java (Logon Application) Product - SAP NetWeaver AS Java (Logon Application), Version - 7.50 Medium 4.8
3498221 [CVE-2024-44120] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Product - SAP NetWeaver Enterprise Portal, Version - 7.50 Medium 4.7
3481992 [CVE-2024-44113] Information Disclosure vulnerability in the SAP Business Warehouse (BEx Analyzer) Product - SAP Business Warehouse (BEx Analyzer), Versions - DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757, SAP_BW 758 Medium 4.3
3481588 [CVE-2024-41729] Information Disclosure vulnerability in the SAP NetWeaver BW (BEx Analyzer) Product - SAP NetWeaver BW (BEx Analyzer), Versions - DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757, SAP_BW 758 Medium 4.3
3437585 [CVE-2024-44121] Information Disclosure in SAP S/4 HANA (Statutory Reports) Product - SAP S/4 HANA, Version - 900 Medium 4.3
3505293 [CVE-2024-44112] Missing Authorization check in SAP for Oil & Gas (Transportation and Distribution) Product - SAP for Oil & Gas, Versions - 600, 602, 603, 604, 605, 606, 617, 618, 800, 802, 803, 804, 805, 806, 807, 807 Medium 4.3
2256627 [CVE-2024-45284] Missing authorization check in SAP Student Life Cycle Management (SLcM) Product - SAP Student Life Cycle Management (SLcM), Versions - 617, 618, 800, 802, 803, 804, 805, 806, 807, 808 Low 2.7
3496410 [CVE-2024-41728] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform Product - SAP NetWeaver Application Server for ABAP and ABAP Platform, Version - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912 Low 2.7
3507252 [CVE-2024-44114] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform Product - SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions - 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912 Low 2.0
Recommendations for SNOK clients
-
Prioritise Updates: Focus first on applying fixes marked as Hot News and High Priority, particularly if you use SAP BusinessObjects BI Platform or SAP Commerce Cloud.
-
Review Your Environment: Assess which of the affected products and versions are present in your SAP environment to determine which fixes are relevant to you.
-
Plan Your Update Strategy: Develop a systematic approach to deploying these fixes, taking into account potential downtime or impact on the system.
-
Test Before Production: Always test fixes in a non-production environment before applying them to production systems.
-
Stay Up to Date: Regularly check the SAP Support Portal for the most current information on security fixes and best practices.
How SNOK can help
Our team of SAP security experts at SNOK is ready to help you:
-
Analyse the impact of these security fixes on your specific SAP environment
-
Develop and implement an update strategy tailored to your organisation’s needs
-
Provide ongoing support to keep your SAP systems secure and up to date
Do not let security gaps expose your business to risk. Contact SNOK today to ensure your SAP systems are protected with the latest security updates.
Security in the world of SAP is not a destination to be reached, but a path we continually walk. Every update, every safeguard is another step on that path. SNOK is ready to be your guide - offering not only expertise, but also experience in navigating the complexities of SAP security. Together, we can stay ahead of threats rather than merely reacting to them. Let us take this step towards a more secure SAP environment today.