SAP’s February 2024 Security Patch Day addressed several critical and high-priority vulnerabilities across its product landscape, including a Hot News note for a code injection flaw. Key patches were released for SAP Application Basis (ABA), NetWeaver Application Server (AS) Java, SAP Cloud Connector, and SAP CRM. Administrators should prioritize the immediate application of these security notes to mitigate risks ranging from remote code execution to data theft.
This advisory summarizes the most critical vulnerabilities released by SAP in February 2024. The updates address a Hot News code injection vulnerability in SAP ABA, a high-risk Cross-Site Scripting (XSS) issue in the NetWeaver AS Java User Admin Application, and an XML External Entity (XXE) injection in the Guided Procedures component. Additional high-priority notes cover broken authentication in SAP Cloud Connector and another XSS flaw in SAP CRM, highlighting the need for prompt patching across diverse SAP environments.
Key Takeaways
- Hot News Note 3420923: Patches a critical code injection vulnerability in the SAP Application Basis (ABA) Web Survey component.
- High-Risk XSS Note 3417627: Addresses a Cross-Site Scripting flaw in the SAP NetWeaver AS Java User Admin Application.
- High-Risk XXE Note 3426111: Secures an XML parser against an XXE injection vulnerability in the Guided Procedures component of AS Java.
- Other Key Notes: Patches for broken authentication in SAP Cloud Connector (3424610) and XSS in SAP CRM (3410875) were also released.
- Immediate Action Required: Due to the high and critical severity of these vulnerabilities, organizations are strongly advised to apply the corresponding patches immediately.
What was the most critical vulnerability in February 2024?
The most critical issue was a Code Injection vulnerability in SAP Application Basis (ABA), addressed by Hot News note 3420923. This vulnerability, with a CVSS score of 9.1, affects the Web Survey component. An authenticated attacker with remote execution authorization could exploit a vulnerable interface to perform unapproved actions, potentially leading to a complete compromise of the system’s confidentiality, integrity, and availability. The patch secures the system by adjusting the SRFC authorization object to create a secure-by-default configuration. As a temporary workaround, SAP recommends reviewing and restricting remote calls to function modules of the CA-SUR group via the SRFC authorization object.
What high-risk vulnerabilities were patched in SAP NetWeaver?
SAP released patches for two high-risk vulnerabilities in the SAP NetWeaver Application Server (AS) Java.
- Note 3417627: This note addresses a Cross-Site Scripting (XSS) vulnerability in the User Admin Application of NetWeaver AS Java, which received a CVSS score of 8.8. The vulnerability allows an unauthenticated attacker to craft a URL with a malicious script in an improperly encoded parameter. Successful exploitation could lead to unauthorized access and data theft. It was noted that the fix provided in this note was later found to be incomplete, and SAP released a subsequent note (3557138) to fully address the issue.
- Note 3426111: This note patches an XML External Entity (XXE) injection vulnerability in the Guided Procedures component of AS Java, which could allow unauthenticated attackers to read sensitive files and data. The vulnerability is identified as CVE-2024-24743. The patch configures the XML parser securely to reject external entities. A workaround is available, which involves disabling the
caf-eu-gp-model-iforms-eapapplication in the NetWeaver Administrator.
What other significant vulnerabilities were addressed?
The February 2024 patch day also included important fixes for SAP Cloud Connector and SAP CRM.
| SAP Note | Component | Vulnerability Type | Description |
|---|---|---|---|
| 3424610 | SAP Cloud Connector | Improper Certificate Validation | Allows an attacker to impersonate genuine servers, breaking mutual authentication and enabling the interception of sensitive information. |
| 3410875 | SAP CRM (WebClient UI) | Cross-Site Scripting (XSS) | A vulnerability in the Print preview option allows an attacker to inject malicious scripts, potentially leading to unauthorized data disclosure and manipulation. |
Frequently Asked Questions (FAQ)
What is SAP Patch Day?
SAP Patch Day is the day each month (typically the second Tuesday) when SAP releases a set of security notes and patches to address vulnerabilities in its products.
What is a “Hot News” note?
A “Hot News” note is SAP’s highest priority classification for security patches, addressing critical vulnerabilities that pose a significant risk to customer systems. These notes typically have a CVSS score of 9.0 or higher.
Where can I find the official SAP Security Notes?
Official SAP Security Notes are available on the SAP Support Portal. Customers need to log in to access the full details and download the patches.