Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.
July 2024 notes
Summary and highlights of the month
The total number of notes/patches has been 18, 5 more than last month. This month, there were no HotNews, just like last month. On the other hand, it is noteworthy that the number of high-criticality notes remains the same as last month: 2 this month. As always, we will leave medium and low notes unreviewed but will provide details of a total of 2 notes (all those with a CVSS of 7 or higher).
We have a total of 18 notes for the whole month (the 18 from Patch Tuesday, 16 new and 2 updates).
We will review in detail a total of 2 notes, the 2 high notes of this month, which are new notes (those with a CVSS greater than or equal to 7).
- The most critical note of the month (with a CVSS of 7.7) is a new note related to “Missing Authorization check in PDCE.”
- The next in criticality (CVSS 7.2) is a high note related to “Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce.“
- The next in criticality (CVSS 6.9) is a medium note related to “Information Disclosure vulnerability in SAP Landscape Management.“
- The next in criticality (CVSS 6.5 and 6.1) are medium notes related to “Unrestricted file upload in SAP Document Builder (HTTP service),” “Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor,” and “Multiple vulnerabilities in SAP.“
- This month, the most predominant types are related to “Information Disclosure vulnerability in SAP” (3/18 on Patch Day) and “Missing Authorization check” (3/18 on Patch Day).
In the graph, we can see the classification of the notes for July, in addition to the evolution and classification of the last 5 previous months (only the Sec. Tuesday / Patch Day notes – by SAP):
Full details
The complete detail of the most relevant notes is as follows:
- Missing Authorization check in PDCE (3483344): PDCE elements do not properly verify authorization for authenticated users, allowing privilege escalation. This allows an attacker to access sensitive information, severely affecting the confidentiality of the application. As a solution, the affected functions have been disabled to restrict access. It is recommended to implement the corresponding support package or follow the remediation instructions in the security note. CVSS v3 Base Score: 7,7 / 10 [CVE-2024-39592]
- Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce (3490515): In SAP Commerce, a user can abuse the “forgotten password” functionality to access a Composable Storefront B2B site with early login and registration, without needing approval from the merchant. If the site is not isolated, this can also give access to other non-isolated sites with early login, even if they do not have registration enabled. As a solution, SAP Commerce Cloud addresses this vulnerability by not sending password reset emails if the customer requesting a password reset has not been pre-approved by the merchant. To do so, a series of patches mentioned in the note must be installed. CVSS v3 Base Score 7,2 / 10 [CVE-2024-39597].
Reference links
Other references, from SAP and Onapsis (July):
SAP Patch Day: July 2024 – Onapsis
Resources affected
- Product - SAP PDCE, Version – S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108
- Product - SAP Commerce, Version – HY_COM 2205, COM_CLOUD 2211
- Product- SAP Landscape Management, Version – VCM 3.00
- Product- SAP Document Builder, Versions – S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748
- Product- SAP NetWeaver Knowledge Management XMLEditor, Version – KMC-WPC 7.50
- Product- SAP CRM WebClient UI, Versions – S4FND 102, 103, 104, 105, 106, 107, 108, WEBCUIF 701, 731, 746, 747, 748, 800, 801
- Product- SAP Business Warehouse – Business Planning and Simulation, Versions – SAP_BW 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, SAP_BW_VIRTUAL_COMP 701
- Product - SAP S/4HANA Finance (Advanced Payment Management), Versions – S4CORE 107, 108
- Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758
- Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758
- Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758
- Product – SAP GUI for Windows, Version – BC-FES-GUI 8
- Product – SAP Transportation Management (Collaboration Portal), Versions – SAPTMUI 140, 150, 160, 170
- Product – SAP NetWeaver Application Server for ABAP and ABAP Platform, Version – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 795, SAP_BASIS 796
- Product – SAP Enable Now, Versions – WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704
- Product – SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758
- Product – SAP CRM WebClient UI, Versions – S4FND 104
- Product – SAP Enable Now, Versions – WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704
