4 months ago
35
SAP information patches person been released for July 2024, bringing indispensable updates and fixes to assorted SAP solutions.
In July, SAP released eighteen caller and updated information patches, including 2 high-priority notes. Thomas Fritsch, Manager of Content and Technical Research astatine Onapsis, emphasizes the value of addressing these vulnerabilities promptly to guarantee strategy information and integrity.
The astir captious update this period is SAP Security Note #3483344, which addresses a Missing Authorization Check vulnerability successful SAP Product Design Cost Estimating (SAP PDCE), portion of the SAP Strategic Enterprise Management (SEM). This vulnerability, with a CVSS people of 7.7, allows a distant attacker to work generic array data, posing a important hazard to strategy confidentiality. The spot disables the susceptible relation module to mitigate this risk.
Another important spot is SAP Security Note #3490515, which fixes an Improper Authorization Check vulnerability successful SAP Commerce (both On-Premise and Public Cloud). This issue, with a CVSS people of 7.2, tin beryllium exploited done the forgotten password functionality, perchance allowing unauthorized entree to aboriginal login and registration sites. To mitigate this risk, SAP recommends disabling registration for affected isolated Composable Storefront B2B sites and each non-isolated Composable Storefront B2B sites if Early Login is enabled.
Onapsis Research Labs (ORL) played a important relation successful addressing 12 vulnerabilities crossed 10 SAP Security Notes. Notable contributions see the detection of respective Cross-Site Scripting (XSS) vulnerabilities successful SAP Business Warehouse (SAP BW), SAP NetWeaver Knowledge Management, and SAP CRM (WebClient UI).
SAP Security Note #3482217 addresses a Reflected XSS vulnerability (CVSS people 6.1) and a Stored XSS vulnerability (CVSS people 5.4) successful SAP BW Business Planning and Simulation. Both vulnerabilities person a debased interaction connected confidentiality and integrity, with nary effect connected availability.
Meanwhile, SAP Security Note #3468681 targets the XMLEditor successful SAP NetWeaver Knowledge Management, addressing a CVSS people 6.1 XSS vulnerability caused by insufficient encoding of user-controlled input. This spot prevents the execution of malicious scripts wrong the application.
On the different hand, SAP Security Note #3467377 is simply a broad enactment for SAP CRM (WebClient UI), patching 4 vulnerabilities, including 2 Reflected XSS vulnerabilities (CVSS people 6.1), a Server-Side Request Forgery (SSRF) vulnerability (CVSS people 5.0), and a Missing Authorization Check vulnerability (CVSS people 4.3).
Additional SAP Security Patches for July 2024
A Server-Side Request Forgery (SSRF) vulnerability successful SAP Business Workflow (WebFlow Services) was besides detected by ORL. This vulnerability, with a CVSS people of 5.0, allows authenticated attackers to enumerate accessible HTTP endpoints successful the interior web by crafting circumstantial HTTP requests. The spot includes 3 SAP Security Notes that indispensable beryllium applied successful series to instrumentality an allowlist for Callback-URLs, ensuring lone explicitly allowed URLs are processed.
Similarly, an SSRF vulnerability successful SAP Transportation Management (Collaboration Portal) is addressed by SAP Security Note #3469958 (CVSS people 5.0). The spot hardens the liable work handler to cull untrusted input, preventing crafted requests from triggering unintended work interactions.
SAP Security Note #3456952 addresses a Protection Mechanism Failure successful SAP NetWeaver Application Server for ABAP and ABAP Platform, tagged with a CVSS people of 4.7. This contented allows attackers to bypass microorganism scanning, perchance introducing viruses into the SAP landscape. The spot ensures the malware scanner API operates correctly to forestall specified bypasses.
Lastly, SAP Security Note #3454858 addresses an Information Disclosure vulnerability successful SAP NetWeaver Application Server for ABAP and ABAP Platform, with a CVSS people of 4.1. The spot restricts entree to directories, ensuring lone those defined successful transaction FILE tin beryllium accessed.
July 2024’s SAP Patch Day underscores the captious quality of timely information updates. With eighteen caller and updated information patches, including 2 high-priority notes, SAP besides continues to fortify its solutions against emerging threats. The contributions of Onapsis Research Labs item the collaborative efforts indispensable to support robust information successful SAP environments.
