Notas de Seguridad SAP, Septiembre 2024

Inprosec a través de sus servicios, como el SAP Security Assessment, ayuda a sus clientes a mejorar los niveles de seguridad de sus sistemas SAP.

Notas septiembre 2024

Resumen y highlights del Mes

Tenemos un total de 19 notas para todo el mes (las 19 del patch Tuesday, 16 nuevas y 3 actualizaciones).

Revisaremos en detalle un total de 2 notas, la HotNews y la nota alta de este mes, que se tratan de 2 actualizaciones (aquellas de CVSS mayor o igual a 7)

1. La nota más crítica del mes (con CVSS 9,8) es una HotNew relacionada con « Missing Authentication check in SAP BusinessObjects Business Intelligence Platform”.
2. La siguiente en criticidad (CVSS 7,4) es otra nota alta relacionada con “Information Disclosure Vulnerability in SAP Commerce Cloud”.
3. Las siguientes en criticidad (CVSS 6,5) se tratan de 2 notas medias relacionadas con “Multiple vulnerabilities in SAP Replication Server (FOSS)” y “Missing Authorization check in SAP Production and Revenue Accounting (Tobin interface)”.
4. Este mes el tipo más predominante es relacionado con “Missing Authorization check in SAP” (6/19 en patch day).

En la gráfica podemos ver la clasificación de las notas de septiembre, además de la evolución y clasificación de los últimos 5 meses anteriores (solo las notas del Sec. Tuesday / Patch Day – by SAP):

Detalle completo

El detalle completo de las notas más relevantes es el siguiente (en inglés):

1.  Update – Missing Authentication check in SAP BusinessObjects Business Intelligence Platform (3479478): In SAP BusinessObjects Business Intelligence Platform, if Single Sign-On (SSO) is enabled in enterprise authentication, an unauthorized attacker can obtain a login token through a REST endpoint, which could compromise the entire system. This severely affects confidentiality, integrity and availability. The issue is fixed in the patches for SBOP BI PLATFORM SERVERS 4.3 and 2025 releases. CVSS v3 Base Score: 9,8 / 10 [CVE-2024-41730]
2.  Update – Information Disclosure Vulnerability in SAP Commerce Cloud (3459935): Some OCC API endpoints in SAP Commerce Cloud allow including sensitive personally identifiable information (PII) data such as passwords, emails, mobile numbers… in the URL, which can compromise the confidentiality and integrity of the application. SAP Commerce Cloud addresses the vulnerability by creating new OCC API endpoints, which transmit sensitive data only through the request body. Customers must update their code to use the new secure endpoints. CVSS v3 Base Score 7,4 / 10 [CVE-2024-33003].

Enlaces de referencia

Referencias, en inglés de SAP y Onapsis (septiembre):

Digital Library (sap.com)

SAP Patch Day: September 2024 – Onapsis

Recursos afectados

El listado completo de los sistemas/componentes afectados es el siguiente:

• SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 430, 440
• SAP Commerce Cloud, Versions – HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211
• SAP Replication Server, Versions – 16.0.3, 16.0.4
• SAP Production and Revenue Accounting (Tobin interface), Versions – S4CEXT 106, S4CEXT 107, S4CEXT 108, IS-PRA 605, IS-PRA 606, IS-PRA 616, IS-PRA 617, IS-PRA 618, IS-PRA 800, IS-PRA 801, IS-PRA 802, IS-PRA 803, IS-PRA 804, IS-PRA 805
• SAP S/4HANA eProcurement, Versions – SAP_APPL 606, SAP_APPL 617, SAP_APPL 618, S4CORE 102, S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108
• SAP NetWeaver Application Server for ABAP (CRM Blueprint Application Builder Panel), Versions – 700, 701, 702, 731, 740, 750, 751, 752, 75C, 75D, 75E, 75F, 75G, 75H, 75I
• SAP NetWeaver AS for Java (Destination Service), Versions – 7.50
• SAP Commerce Cloud, Version – COM_CLOUD 2211
• SAP BusinessObjects Business Intelligence Platform, Version – 430
• SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912
• SAP NetWeaver AS Java (Logon Application), Version – 7.50
• SAP NetWeaver Enterprise Portal, Version – 7.50
• SAP Business Warehouse (BEx Analyzer), Versions – DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757, SAP_BW 758
• SAP NetWeaver BW (BEx Analyzer), Versions – DW4CORE 200, DW4CORE 300, DW4CORE 400, SAP_BW 700, SAP_BW 701, SAP_BW 702, SAP_BW 731, SAP_BW 740, SAP_BW 750, SAP_BW 751, SAP_BW 752, SAP_BW 753, SAP_BW 754, SAP_BW 755, SAP_BW 756, SAP_BW 757, SAP_BW 758
• SAP S/4 HANA, Version – 900
• SAP for Oil & Gas, Versions – 600, 602, 603, 604, 605, 606, 617, 618, 800, 802, 803, 804, 805, 806, 807, 807
• SAP Student Life Cycle Management (SLcM), Versions – 617, 618, 800, 802, 803, 804, 805, 806, 807, 808
• SAP NetWeaver Application Server for ABAP and ABAP Platform, Version – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912
• SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, 912