SAP Security Notes, August 2024

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

August 2024 notes

Summary and highlights of the month

The total number of notes/patches was 25, 7 more than last month. This month, there were 2 HotNews, 2 more than last month. On the other hand, it is noteworthy that the number of high-criticality notes also increased compared to last month: 4 this month. As always, we will leave the medium and low notes unrevised, but we will provide details of a total of 6 notes (all those with a CVSS of 7 or higher).

We have a total of 25 notes for the entire month (the 25 from Patch Tuesday, 17 new and 8 updates).

We will review in detail a total of 6 notes, the 2 HotNews and the 4 high notes from this month, which consist of 3 new notes and one update (those with a CVSS of 7 or higher).

1. The most critical note of the month (with CVSS 9.8) is a HotNews related to “ Missing Authentication check in SAP BusinessObjects Business Intelligence Platform”.
2. The next in criticality (CVSS 9.1) is another HotNews related to “Server-Side Request Forgery vulnerability in applications built with SAP Build Apps”.
3. The next in criticality (CVSS 8.2) is a high note related to “XML injection in SAP BEx Web Java Runtime Export Web Service”.
4. The next in criticality (CVSS 7.8, 7.5, and 7.4) are 3 high notes related to “Prototype Pollution in SAP S/4 HANA”, “Denial of Service (DoS) in SAP NetWeaver AS Java (Meta Model Repository)”, and “Information Disclosure Vulnerability in SAP Commerce Cloud”.
5. This month, the most predominant types are related to “Information Disclosure vulnerability in SAP” (5/25 on patch day) and “Missing Authorization check in SAP” (5/25 on patch day).

In the chart, we can see the **classification of the notes for August**, as well as the evolution and classification over the last 5 previous months (only the notes from Sec. Tuesday / Patch Day – by SAP):

Full details

The complete detail of the most relevant notes is as follows:

1.  Missing Authentication check in SAP BusinessObjects Business Intelligence Platform (3479478): In SAP BusinessObjects Business Intelligence Platform, if Single Sign-On (SSO) is enabled in enterprise authentication, an unauthorized attacker can obtain a login token through a REST endpoint, which could compromise the entire system. This severely affects confidentiality, integrity and availability. The issue is fixed in the patches for SBOP BI PLATFORM SERVERS 4.3 and 2025 releases. CVSS v3 Base Score: 9,8 / 10 [CVE-2024-41730]
2. Server-Side Request Forgery vulnerability in applications built with SAP Build Apps (3477196): SAP Build Apps is vulnerable due to the use of an old version of the Nodejs library, which puts confidentiality and integrity at risk, but does not affect availability. The solution is to rebuild the application with SAP Build Apps version 4.11.130 or later. CVSS v3 Base Score 9,1 / 10 [CVE-2024-29415].
3. XML injection in SAP BEx Web Java Runtime Export Web Service (3485284): The BEx Web Java Runtime Export Web Service has insufficient validation of XML documents from untrusted sources, allowing an attacker to access information from the SAP ADS system and exhaust the XMLForm service, leaving PDF creation unavailable. This compromises the confidentiality and availability of the application. The solution is to apply the support packages and patches listed in the SAP security note. CVSS v3 Base Score 8,2 / 10 [CVE-2024-42374].
4. Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) (3423268): SAP S/4HANA (Manage Supply Protection app) uses the SheetJS library which is vulnerable because it reads specially crafted files, which could compromise the confidentiality, integrity and availability of the application. The vulnerability has been fixed in the latest release, which includes an update to SheetJS CE 0.20.1. This update does not affect the functionality of the application. It is recommended to implement the remediation instructions or support packages mentioned in the SAP security note. CVSS v3 Base Score 7,8 / 10 [CVE-2023-30533].
5. Update – Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) (3460407): Due to the unrestricted access to the metamodel repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks, preventing access to legitimate users. This severely affects the availability, but not the confidentiality and integrity of the application. The code has been fixed and the application has been configured securely, so it is recommended to implement the support packages and patches mentioned in the SAP Note. CVSS v3 Base Score 7,5 / 10 [CVE-2024-34688].
6. Information Disclosure Vulnerability in SAP Commerce Cloud (3459935): Some OCC API endpoints in SAP Commerce Cloud allow including sensitive personally identifiable information (PII) data such as passwords, emails, mobile numbers… in the URL, which can compromise the confidentiality and integrity of the application. SAP has addressed this by creating new API endpoints that handle sensitive data through the body of the request, deprecating the old ones. Customers must update their code to use the new secure endpoints. CVSS v3 Base Score 7,4 / 10 [CVE-2024-33003].

Reference links

Other references, from SAP and Onapsis (August):

Digital Library (sap.com)

SAP Patch Day: August 2024 – Onapsis

Resources affected