SAP Security Notes, June 2024

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

June 2024 notes

Summary and highlights of the month

The total number of notes/patches has been 13, 4 less than last month. This month, there have been no HotNews, unlike last month when there were 3. On the other hand, it is worth noting that the number of high-criticality notes has increased compared to last month: 2 this month. As always, we will leave medium and low notes unreviewed, but we will detail a total of 2 notes (all with a CVSS of 7 or higher).

We have a total of 13 notes for the whole month (all 13 from Patch Tuesday, 10 new and 3 updates).

We will review in detail a total of 2 notes, the 2 high notes of this month, which are new notes (those with a CVSS of 7 or higher).

1. The most critical note of the month (with a CVSS 8.1) is a new note related to “Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation”.
2. The next most critical (CVSS 7.5) is a high note related to “Denial of Service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)”.
3. The following in criticality (CVSS 6.5) are medium notes related to “Denial of Service (DOS) in SAP NetWeaver and ABAP platform”, “Unrestricted file upload in SAP Document Builder (HTTP service)”, and “Missing Authorization check in SAP S/4HANA (Manage Incoming Payment Files)”.
4. This month, the most predominant type is related to “Missing Authorization check in SAP” (4/13 on patch day).

In the graph, we can see the classification of the June notes, as well as the evolution and classification of the last 5 months (only the notes from Sec. Tuesday / Patch Day – by SAP):

Full details

The complete detail of the most relevant notes is as follows:

1.  Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation (3457592): This security note addresses two vulnerabilities in SAP Financial Consolidation: Reflected XSS: SAP Financial Consolidation allows data to enter a web application through an untrusted source, which can modify website content and significantly impact the confidentiality and integrity of the application if successfully exploited & Stored XSS: SAP Financial Consolidation does not properly encrypt user input, allowing Cross-Site Scripting (XSS) attacks that can impact application confidentiality. URL parameters are now properly encoded to prevent XSS attacks. It is recommended to implement the support packages and patches mentioned in the SAP Note. CVSS v3 Base Score: 8,1/ 10 [CVE-2024-37177]
2.  Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) (3460407): Due to the unrestricted access to the metamodel repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks, preventing access to legitimate users. This severely affects the availability, but not the confidentiality and integrity of the application. The code has been fixed and the application has been configured securely, so it is recommended to implement the support packages and patches mentioned in the SAP Note. CVSS v3 Base Score 7,5 / 10 [CVE-2024-34688].

Reference links

Other references, from SAP and Onapsis (June):

Digital Library (sap.com)

SAP Patch Day: June 2024 – Onapsis

Resources affected