SAP Security Patch Day – October 2024

As SAP administrators and security professionals gear up for the second Tuesday of October 2024, anticipation builds for the latest SAP Security Patch Day. This essential event focuses on delivering critical security updates to address a range of vulnerabilities across various SAP products and components. Maintaining a strong security posture in SAP environments remains paramount, and this month’s patches underscore the ongoing commitment to safeguarding enterprise systems.

This month, 8 new security notes have been released, addressing vulnerabilities with CVSS scores ranging up to 9.8, indicating high-priority issues. These vulnerabilities impact a diverse set of SAP products, including the BusinessObjects Business Intelligence Platform, SAP Commerce Backoffice, SAP Enterprise Project Connection, and more.

Among the most notable vulnerabilities this month are:

CVE-2024-41730 in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 9.8, representing a critical missing authentication check that could allow unauthorized access to system tokens.CVE-2024-37179 in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) with a CVSS score of 7.7, involving insecure file operations that permit authenticated users to download arbitrary files from the server.CVE-2022-23302 in SAP Enterprise Project Connection with a CVSS score of 8.0, related to multiple vulnerabilities in the Spring Framework and Log4j libraries.CVE-2024-45278 in SAP Commerce Backoffice with a CVSS score of 5.4, a Cross-Site Scripting (XSS) vulnerability that could compromise user sessions.CVE-2024-45283 in SAP NetWeaver AS for Java (Destination Service) with a CVSS score of 6.0, an information disclosure vulnerability allowing unauthorized access to sensitive data.

Top 5 Vulnerabilities This Month

CVE-2024-41730  SAP BusinessObjects Business Intelligence Platform

CVSS Score: 9.8Type: Missing Authentication CheckDescription: This critical vulnerability allows an unauthorized user to obtain a login token via a REST endpoint, potentially leading to full system compromise.Recommendation: Immediately apply the relevant patches and update the Trusted_Auth_Shared_Secret property to Disabled in the specified configuration files. Restart the application servers as instructed in the SAP Security Note.

CVE-2024-37179  SAP BusinessObjects Business Intelligence Platform (Web Intelligence)

CVSS Score: 7.7Type: Insecure File OperationsDescription: Authenticated users can exploit this vulnerability to download arbitrary files from the server, posing a significant risk to application confidentiality.Recommendation: Apply the provided patch and create a PersonalFile_AllowList.txt file in the specified configuration directory, listing only trusted folders for data access.

 

CVE-2022-23302  SAP Enterprise Project Connection

CVSS Score: 8.0Type: Multiple Vulnerabilities in Spring Framework and Log4jDescription: The use of vulnerable versions of Spring Framework and Log4j libraries could allow attackers to execute arbitrary code.Recommendation: Update the affected libraries to the secure versions as outlined in the SAP Security Note and apply all related patches.

 

CVE-2024-45278  SAP Commerce Backoffice

CVSS Score: 5.4Type: Cross-Site Scripting (XSS)Description: Insufficient encoding of user inputs in the Backoffice component allows attackers to inject malicious scripts, potentially compromising user sessions.Recommendation: Install the latest patches that enforce strict Content Security Policies (CSP) and ensure proper encoding of all user inputs.

 

CVE-2024-45283  SAP NetWeaver AS for Java (Destination Service)

CVSS Score: 6.0Type: Information DisclosureDescription: This vulnerability enables authorized attackers to access sensitive information, including usernames and passwords, when creating RFC destinations.Recommendation: Apply the security patches promptly and verify that all authorization settings are correctly configured to prevent unauthorized data access.

Complete Table of Patched Vulnerabilities

CVE Component Vulnerability Type CVSS

CVE-2024-41730SAP BusinessObjects Business Intelligence PlatformMissing Authentication Check9.8CVE-2024-37179SAP BusinessObjects BI Platform (Web Intelligence)Insecure File Operations7.7CVE-2022-23302SAP Enterprise Project ConnectionMultiple Vulnerabilities (Spring, Log4j)8.0CVE-2024-45278SAP Commerce BackofficeCross-Site Scripting (XSS)5.4CVE-2024-45283SAP NetWeaver AS for Java (Destination Service)Information Disclosure6.0CVE-2024-45277SAP HANA ClientPrototype Pollution4.3CVE-2024-47594SAP NetWeaver Enterprise Portal (KMC)Cross-Site Scripting (XSS)5.4CVE-2024-37180SAP NetWeaver AS for ABAP and ABAP PlatformInformation DisclosureN/A

Detailed Vulnerability Insights

1. CVE-2024-41730 – SAP BusinessObjects Business Intelligence Platform

CVSS Score: 9.8 (Critical)Description: An absence of authentication checks allows unauthorized users to obtain login tokens via a REST API, potentially leading to full system compromise. This poses severe risks to the confidentiality, integrity, and availability of sensitive data.Solution: Apply the relevant patches immediately. Additionally, configure the Trusted_Auth_Shared_Secret property to Disabled in the specified configuration files located in the installation directories for both Windows and Linux environments. Restart the Tomcat server to enforce changes.

2. CVE-2024-37179 – SAP BusinessObjects BI Platform (Web Intelligence)

CVSS Score: 7.7Description: This vulnerability allows authenticated users to download any file from the server hosting the Web Intelligence Reporting Server, severely impacting application confidentiality.Solution: Install the patch provided in the SAP Security Note. To further restrict access, create a PersonalFile_AllowList.txt file in the configuration directory, listing only approved directories from which data can be fetched.

3. CVE-2022-23302 – SAP Enterprise Project Connection

CVSS Score: 8.0Description: Multiple vulnerabilities in the Spring Framework and Log4j libraries used by SAP Enterprise Project Connection can be exploited to execute arbitrary code, compromising the application’s security.Solution: Upgrade to the latest secure versions of Spring Framework and Log4j as detailed in the SAP Security Note. Apply all associated patches to mitigate these vulnerabilities.

4. CVE-2024-45278 – SAP Commerce Backoffice

CVSS Score: 5.4Description: A Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice allows attackers to inject malicious scripts, which can compromise user sessions and data integrity.Solution: Apply the latest security patches that enforce strict Content Security Policies (CSP) to prevent script execution. Ensure all user inputs are properly encoded to eliminate XSS risks.

5. CVE-2024-45283 – SAP NetWeaver AS for Java (Destination Service)

CVSS Score: 6.0Description: This information disclosure vulnerability permits authorized attackers to access sensitive data, such as usernames and passwords, during the creation of RFC destinations.Solution: Implement the provided patches promptly. Additionally, verify and adjust authorization settings to ensure that only authorized personnel can access sensitive information.

 

For those looking to deepen their understanding of SAP security, I’m also recommending an original online SAP Security Course based on BlackHat SAP Security Training. This comprehensive course covers core concepts and security administration, providing valuable insights for SAP professionals. You can find it here https://www.udemy.com/course/sap-security-core-concepts-and-security-administration/

 

​ As SAP administrators and security professionals gear up for the second Tuesday of October 2024, anticipation builds for the latest SAP Security Patch Day. This essential event focuses on delivering critical security updates to address a range of vulnerabilities across various SAP products and components. Maintaining a strong security posture in SAP environments remains paramount, and this month’s patches underscore the ongoing commitment to safeguarding enterprise systems.This month, 8 new security notes have been released, addressing vulnerabilities with CVSS scores ranging up to 9.8, indicating high-priority issues. These vulnerabilities impact a diverse set of SAP products, including the BusinessObjects Business Intelligence Platform, SAP Commerce Backoffice, SAP Enterprise Project Connection, and more.Among the most notable vulnerabilities this month are:CVE-2024-41730 in SAP BusinessObjects Business Intelligence Platform with a CVSS score of 9.8, representing a critical missing authentication check that could allow unauthorized access to system tokens.CVE-2024-37179 in SAP BusinessObjects Business Intelligence Platform (Web Intelligence) with a CVSS score of 7.7, involving insecure file operations that permit authenticated users to download arbitrary files from the server.CVE-2022-23302 in SAP Enterprise Project Connection with a CVSS score of 8.0, related to multiple vulnerabilities in the Spring Framework and Log4j libraries.CVE-2024-45278 in SAP Commerce Backoffice with a CVSS score of 5.4, a Cross-Site Scripting (XSS) vulnerability that could compromise user sessions.CVE-2024-45283 in SAP NetWeaver AS for Java (Destination Service) with a CVSS score of 6.0, an information disclosure vulnerability allowing unauthorized access to sensitive data.Top 5 Vulnerabilities This MonthCVE-2024-41730 – SAP BusinessObjects Business Intelligence PlatformCVSS Score: 9.8Type: Missing Authentication CheckDescription: This critical vulnerability allows an unauthorized user to obtain a login token via a REST endpoint, potentially leading to full system compromise.Recommendation: Immediately apply the relevant patches and update the Trusted_Auth_Shared_Secret property to Disabled in the specified configuration files. Restart the application servers as instructed in the SAP Security Note.CVE-2024-37179 – SAP BusinessObjects Business Intelligence Platform (Web Intelligence)CVSS Score: 7.7Type: Insecure File OperationsDescription: Authenticated users can exploit this vulnerability to download arbitrary files from the server, posing a significant risk to application confidentiality.Recommendation: Apply the provided patch and create a PersonalFile_AllowList.txt file in the specified configuration directory, listing only trusted folders for data access. CVE-2022-23302 – SAP Enterprise Project ConnectionCVSS Score: 8.0Type: Multiple Vulnerabilities in Spring Framework and Log4jDescription: The use of vulnerable versions of Spring Framework and Log4j libraries could allow attackers to execute arbitrary code.Recommendation: Update the affected libraries to the secure versions as outlined in the SAP Security Note and apply all related patches. CVE-2024-45278 – SAP Commerce BackofficeCVSS Score: 5.4Type: Cross-Site Scripting (XSS)Description: Insufficient encoding of user inputs in the Backoffice component allows attackers to inject malicious scripts, potentially compromising user sessions.Recommendation: Install the latest patches that enforce strict Content Security Policies (CSP) and ensure proper encoding of all user inputs. CVE-2024-45283 – SAP NetWeaver AS for Java (Destination Service)CVSS Score: 6.0Type: Information DisclosureDescription: This vulnerability enables authorized attackers to access sensitive information, including usernames and passwords, when creating RFC destinations.Recommendation: Apply the security patches promptly and verify that all authorization settings are correctly configured to prevent unauthorized data access.Complete Table of Patched VulnerabilitiesCVE Component Vulnerability Type CVSSCVE-2024-41730SAP BusinessObjects Business Intelligence PlatformMissing Authentication Check9.8CVE-2024-37179SAP BusinessObjects BI Platform (Web Intelligence)Insecure File Operations7.7CVE-2022-23302SAP Enterprise Project ConnectionMultiple Vulnerabilities (Spring, Log4j)8.0CVE-2024-45278SAP Commerce BackofficeCross-Site Scripting (XSS)5.4CVE-2024-45283SAP NetWeaver AS for Java (Destination Service)Information Disclosure6.0CVE-2024-45277SAP HANA ClientPrototype Pollution4.3CVE-2024-47594SAP NetWeaver Enterprise Portal (KMC)Cross-Site Scripting (XSS)5.4CVE-2024-37180SAP NetWeaver AS for ABAP and ABAP PlatformInformation DisclosureN/ADetailed Vulnerability Insights1. CVE-2024-41730 – SAP BusinessObjects Business Intelligence PlatformCVSS Score: 9.8 (Critical)Description: An absence of authentication checks allows unauthorized users to obtain login tokens via a REST API, potentially leading to full system compromise. This poses severe risks to the confidentiality, integrity, and availability of sensitive data.Solution: Apply the relevant patches immediately. Additionally, configure the Trusted_Auth_Shared_Secret property to Disabled in the specified configuration files located in the installation directories for both Windows and Linux environments. Restart the Tomcat server to enforce changes.2. CVE-2024-37179 – SAP BusinessObjects BI Platform (Web Intelligence)CVSS Score: 7.7Description: This vulnerability allows authenticated users to download any file from the server hosting the Web Intelligence Reporting Server, severely impacting application confidentiality.Solution: Install the patch provided in the SAP Security Note. To further restrict access, create a PersonalFile_AllowList.txt file in the configuration directory, listing only approved directories from which data can be fetched.3. CVE-2022-23302 – SAP Enterprise Project ConnectionCVSS Score: 8.0Description: Multiple vulnerabilities in the Spring Framework and Log4j libraries used by SAP Enterprise Project Connection can be exploited to execute arbitrary code, compromising the application’s security.Solution: Upgrade to the latest secure versions of Spring Framework and Log4j as detailed in the SAP Security Note. Apply all associated patches to mitigate these vulnerabilities.4. CVE-2024-45278 – SAP Commerce BackofficeCVSS Score: 5.4Description: A Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice allows attackers to inject malicious scripts, which can compromise user sessions and data integrity.Solution: Apply the latest security patches that enforce strict Content Security Policies (CSP) to prevent script execution. Ensure all user inputs are properly encoded to eliminate XSS risks.5. CVE-2024-45283 – SAP NetWeaver AS for Java (Destination Service)CVSS Score: 6.0Description: This information disclosure vulnerability permits authorized attackers to access sensitive data, such as usernames and passwords, during the creation of RFC destinations.Solution: Implement the provided patches promptly. Additionally, verify and adjust authorization settings to ensure that only authorized personnel can access sensitive information. For those looking to deepen their understanding of SAP security, I’m also recommending an original online SAP Security Course based on BlackHat SAP Security Training. This comprehensive course covers core concepts and security administration, providing valuable insights for SAP professionals. You can find it here https://www.udemy.com/course/sap-security-core-concepts-and-security-administration/   Read More Technology Blogs by Members articles 

#SAP

#SAPTechnologyblog

You May Also Like

More From Author