6 months ago
50
SAP has released seventeen new and updated security patches during its May 2024 SAP Security Patch Day.
SAP Security Patch Day is a monthly event where SAP releases security updates to address vulnerabilities in its software products. These patches are crucial for maintaining the security and integrity of SAP systems, which are widely used by organizations worldwide for managing critical business processes.
Among the patches released this month are three HotNews Notes and one High Priority Note, addressing critical vulnerabilities in various SAP applications. Thomas Fritsch, Manager of Content and Technical Research at Onapsis, provided an in-depth analysis of the most significant patches and their potential impact on SAP systems.
Critical Vulnerabilities Patched in SAP CX Commerce
One of the HotNews Notes, SAP Security Note #3455438, addresses two critical vulnerabilities in SAP Customer Experience (CX) Commerce. Fritsch explained that these vulnerabilities stem from external libraries used in SAP Commerce Cloud, namely the Swagger UI library (CVE-2019-17495) and the Apache Calcite Avatica library (CVE-2022-36364). The Swagger UI library vulnerability allows attackers to perform Relative Path Overwrite (RPO) techniques in CSS-based input fields, while the Apache Calcite Avatica library vulnerability could lead to remote code execution in rare cases.
To mitigate these risks, SAP has released Commerce Cloud Patch Release 2205.24, which contains the fixed versions of the affected libraries. SAP has assigned a CVSS score of 9.8 to SAP Security Note #3455438, indicating the severity of the vulnerabilities and the importance of applying the patch promptly.
File Upload Vulnerability in SAP NetWeaver Application Server
Another critical patch, SAP Security Note #3448171, addresses a File Upload vulnerability in the SAP NetWeaver Application Server ABAP and ABAP Platform. Fritsch shared that the Onapsis Research Labs (ORL) discovered a missing signature check for two content repositories, which could allow an unauthenticated attacker to upload a malicious file to the server. If a victim accesses this file, it could lead to a complete system compromise.
SAP has also provided a secure default configuration with the support packages mentioned in the note. However, administrators must apply manual configuration changes after upgrading to the respective support package level, as the fix only affects new installations. SAP has assigned this vulnerability a CVSS score of 9.6, emphasizing its critical nature.
Cross-Site Scripting Vulnerabilities Addressed in SAP Security Patch Day
In addition to the HotNews Notes, SAP has released a High Priority Note, SAP Security Note #3431794, which addresses a Cross-Site Scripting vulnerability in the SAP BusinessObjects Business Intelligence Platform. Fritsch explained that insufficient user input sanitization allows attackers to manipulate a parameter in the OpenDocument URL, potentially impacting the application’s confidentiality and integrity. This vulnerability has been assigned a CVSS score of 8.1.
Fritsch also highlighted the contributions of the Onapsis Research Labs in supporting SAP in patching three vulnerabilities, including the critical File Upload vulnerability mentioned earlier. The ORL also helped fix two Cross-Site Scripting vulnerabilities, SAP Security Note #3460772 and SAP Security Note #3450286, both assigned a CVSS score of 6.1. These vulnerabilities affected SAP S/4HANA and SAP NetWeaver Application Server ABAP and ABAP Platform, respectively.
The May 2024 SAP Security Patch Day demonstrates SAP’s ongoing commitment to addressing security vulnerabilities in its software products. Seventeen security notes, including three HotNews Notes and one High Priority Note, have been released, and it is crucial for SAP customers to review and apply these patches promptly to maintain the security and integrity of their SAP systems.
Fritsch further emphasized the importance of collaboration between SAP and security research organizations like the Onapsis Research Labs in identifying and patching critical vulnerabilities. By working together, they can ensure that SAP systems remain secure and protected against potential threats.
