Notas de Seguridad SAP, Agosto 2024

Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.

Notas agosto 2024

Resumen y highlights del Mes

El número total de notas/parches ha sido de 25, 7 más que el mes pasado. Este mes ha habido 2 HotNew, 2 más que el mes pasado. Por otro lado, cabe destacar que el número de notas de criticidad alta también aumenta con respecto al mes pasado: 4 en este mes. Como siempre dejaremos las notas medias y bajas sin revisar, pero daremos detalle de un total de 6 notas (todas las que tengan un CVSS de 7 o mayor).

Tenemos un total de 25 notas para todo el mes (las 25 del patch Tuesday, 17 nuevas y 8 actualizaciones).

Revisaremos en detalle un total de 6 notas, las 2 HotNews y las 4 notas altas de este mes, que se tratan de 3 notas nuevas y una actualización (aquellas de CVSS mayor o igual a 7).

  1. La nota más crítica del mes (con CVSS 9,8) es una HotNew relacionada con “ Missing Authentication check in SAP BusinessObjects Business Intelligence Platform”.
  2. La siguiente en criticidad (CVSS 9,1) es otra HotNew relacionada con “Server-Side Request Forgery vulnerability in applications built with SAP Build Apps”.
  3. La siguiente en criticidad (CVSS 8,2) es una nota alta relacionada con “XML injection in SAP BEx Web Java Runtime Export Web Service”.
  4. Las siguientes en criticidad (CVSS 7,8, 7,5 y 7,4) se tratan de 3 notas altas relacionadas con “Prototype Pollution in SAP S/4 HANA”, “Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository)” y “Information Disclosure Vulnerability in SAP Commerce Cloud”.
  5. Este mes el tipo más predominante es relacionado con “Information Disclosure vulnerability in SAP” (5/25 en patch day) y con “Missing Authorization check in SAP” (5/25 en patch day).

En la gráfica podemos ver la clasificación de las notas de agosto, además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):

Detalle completo

El detalle completo de las notas más relevantes es el siguiente (en inglés):

  1.  Missing Authentication check in SAP BusinessObjects Business Intelligence Platform (3479478): In SAP BusinessObjects Business Intelligence Platform, if Single Sign-On (SSO) is enabled in enterprise authentication, an unauthorized attacker can obtain a login token through a REST endpoint, which could compromise the entire system. This severely affects confidentiality, integrity and availability. The issue is fixed in the patches for SBOP BI PLATFORM SERVERS 4.3 and 2025 releases. CVSS v3 Base Score: 9,8 / 10 [CVE-2024-41730]
  2. Server-Side Request Forgery vulnerability in applications built with SAP Build Apps (3477196): SAP Build Apps is vulnerable due to the use of an old version of the Nodejs library, which puts confidentiality and integrity at risk, but does not affect availability. The solution is to rebuild the application with SAP Build Apps version 4.11.130 or later. CVSS v3 Base Score 9,1 / 10 [CVE-2024-29415].
  3. XML injection in SAP BEx Web Java Runtime Export Web Service (3485284): The BEx Web Java Runtime Export Web Service has insufficient validation of XML documents from untrusted sources, allowing an attacker to access information from the SAP ADS system and exhaust the XMLForm service, leaving PDF creation unavailable. This compromises the confidentiality and availability of the application. The solution is to apply the support packages and patches listed in the SAP security note. CVSS v3 Base Score 8,2 / 10 [CVE-2024-42374].
  4. Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) (3423268): SAP S/4HANA (Manage Supply Protection app) uses the SheetJS library which is vulnerable because it reads specially crafted files, which could compromise the confidentiality, integrity and availability of the application. The vulnerability has been fixed in the latest release, which includes an update to SheetJS CE 0.20.1. This update does not affect the functionality of the application. It is recommended to implement the remediation instructions or support packages mentioned in the SAP security note. CVSS v3 Base Score 7,8 / 10 [CVE-2023-30533].
  5. Update – Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) (3460407): Due to the unrestricted access to the metamodel repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks, preventing access to legitimate users. This severely affects the availability, but not the confidentiality and integrity of the application. The code has been fixed and the application has been configured securely, so it is recommended to implement the support packages and patches mentioned in the SAP Note. CVSS v3 Base Score 7,5 / 10 [CVE-2024-34688].
  6. Information Disclosure Vulnerability in SAP Commerce Cloud (3459935): Some OCC API endpoints in SAP Commerce Cloud allow including sensitive personally identifiable information (PII) data such as passwords, emails, mobile numbers… in the URL, which can compromise the confidentiality and integrity of the application. SAP has addressed this by creating new API endpoints that handle sensitive data through the body of the request, deprecating the old ones. Customers must update their code to use the new secure endpoints. CVSS v3 Base Score 7,4 / 10 [CVE-2024-33003].

Enlaces de referencia

Referencias, en inglés de SAP y Onapsis (agosto):

Digital Library (sap.com)

SAP Patch Day: August 2024 – Onapsis

Recursos afectados

El listado completo de los sistemas/componentes afectados es el siguiente:

  • SAP BusinessObjects Business Intelligence Platform, Version – ENTERPRISE 430, 440
  • SAP Build Apps, Versions < 4.11.130
  • SAP BEx Web Java Runtime Export Web Service, Versions – BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, BIWEBAPP 7.5
  • SAP S/4 HANA, Library Versions – SheetJS CE < 0.19.3
  • SAP NetWeaver AS Java, Version – MMR_SERVER 7.5
  • SAP Commerce Cloud, Versions – HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211
  • SAP Landscape Management, Version – VCM 3.00
  • SAP Replication Server, Versions – 16.0.3, 16.0.4
  • SAP Document Builder, Versions – S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748
  • SAP Shared Service Framework, Versions – SAP_BS_FND 702, 731, 746, 747, 748
  • SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, WEBDISP 7.53, 7.77, 7.85, 7.22_EXT, 7.89, 7.54, 7.93, KERNEL 7.22, 7.53, 7.77, 7.85, 7.89, 7.54, 7.93
  • SAP Business Warehouse – Business Planning and Simulation, Versions – SAP_BW 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, SAP_BW_VIRTUAL_COMP 701
  • SAP BW/4HANA Transformation and Data Transfer Process, Versions – DW4CORE 200, 300, 400, 796, SAP_BW 740, 750, 751, 752, 753, 754, 755, 756, 757, 758
  • SAP Commerce Backoffice, Version – HY_COM 2205
  • SAP Commerce, Versions – HY_COM 2205, COM_CLOUD 2211
  • SAP CRM ABAP (Insights Management), Versions – BBPCRM 700, 701, 702, 712, 713, 714
  • SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758
  • SAP NetWeaver Application Server ABAP, Versions – SAP_UI 754, 755, 756, 757, 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 912
  • SAP Bank Account Management (Manage Banks), Versions – 800, 900
  • SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 420, 430, 440
  • SAP Permit to Work, Versions – UIS4HOP1 800, 900
  • SAP Document Builder, Versions – S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, SAP_BS_FND 702, SAP_BS_FND 731, SAP_BS_FND 746, SAP_BS_FND 747, SAP_BS_FND 748
  • SAP Student Life Cycle Management (SLcM), Versions – IS-PS-CA 617, 618, 802, 803, 804, 805, 806, 807, 808
  • SAP NetWeaver Application Server ABAP and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912
  • SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

¿Te ha gustado?

¡Compártelo en redes sociales!

Deja una respuesta

Tu dirección de correo electrónico no será publicada. Los campos obligatorios están marcados con *

Rellena este campo
Rellena este campo
Por favor, introduce una dirección de correo electrónico válida.
Tienes que aprobar los términos para continuar

Categorías

Calendario de entradas

Nuestros servicios

keyboard_arrow_up