SAP’s July 2024 security notes address several critical vulnerabilities, led by a high-risk missing authentication check in SAP S/4HANA. Also included are patches for a password misuse flaw in SAP Commerce, an information disclosure bug in SAP NetWeaver, and multiple cross-site scripting vulnerabilities.
Executive Summary
The July 2024 SAP Security Patch Day features several important updates, with the most critical being Note 3483344. This note resolves a high-risk missing authentication vulnerability in the S4CORE component of SAP S/4HANA, which could allow for privilege escalation. SAP has not provided a workaround, making the patch essential. Another significant issue is addressed in Note 3490515 for SAP Commerce, where a flaw in the forgotten password function could grant unauthorized access to B2B sites. Further patches address an information disclosure vulnerability in SAP NetWeaver AS ABAP (Note 3454858), a malware scan bypass (Note 3456952), and multiple cross-site scripting (XSS) issues in SAP Business Warehouse and SAP Knowledge Management (Notes 3482217 and 3468681). System administrators should prioritize the S/4HANA and SAP Commerce patches due to their potential impact.
Key Takeaways
- A high-risk authentication flaw in SAP S/4HANA (Note 3483344) requires immediate attention.
- SAP has not provided a workaround for the high-risk S/4HANA vulnerability.
- A password function in SAP Commerce (Note 3490515) can be misused to gain unauthorized site access.
- SAP NetWeaver AS ABAP received patches for information disclosure and malware scan bypass vulnerabilities.
- Cross-site scripting (XSS) flaws were fixed in SAP Business Warehouse and SAP Knowledge Management.
What is the most critical vulnerability in the July 2024 notes?
The most critical vulnerability is a high-risk missing authentication check in SAP Product Design Cost Estimation (PDCE), detailed in Note 3483344. This flaw, present in the S4CORE component of SAP S/4HANA, can be exploited to escalate privileges and read sensitive information. The correction deactivates the affected functions entirely. SAP has not provided a workaround for this issue, which applies to S4CORE versions 102-103 and S4COREOP versions 104-108.
How does the SAP Commerce password vulnerability work?
Note 3490515 patches a vulnerability in SAP Commerce that allows users to misuse the forgotten password functionality. This flaw enables an attacker to gain access to a Composable Storefront B2B site where early login and registration are activated, without needing prior approval. The issue is specific to B2B scenarios where both early login and registration are set to true and does not affect classic accelerator storefronts. A workaround is available in the note.
What other notable vulnerabilities were patched?
Several other important vulnerabilities were addressed in the July 2024 security notes.
- Information Disclosure (Note 3454858): A vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP) and ABAP Platform was patched. The update restricts file system access to prevent users from navigating to unauthorized directories.
- Malware Scan Bypass (Note 3456952): A patch for SAP NetWeaver AS ABAP and ABAP Platform prevents developers from bypassing malware scan configurations using specific API classes.
- Cross-Site Scripting (XSS): Note 3482217 and Note 3468681 address multiple XSS vulnerabilities in SAP Business Warehouse and SAP Knowledge Management, respectively.
Frequently Asked Questions (FAQ)
What is SAP Security Note 3483344?
It addresses a high-risk missing authentication vulnerability in the S4CORE component of SAP S/4HANA. The flaw could lead to privilege escalation and sensitive data exposure. The patch resolves the issue by deactivating the affected functions.
Is there a workaround for the S/4HANA vulnerability (Note 3483344)?
No, SAP has not provided a workaround for this vulnerability. Applying the correction included in the security note is the only way to remove the vulnerability.
Which SAP products are affected by the July 2024 security notes?
The key products affected include SAP S/4HANA, SAP Commerce, SAP NetWeaver Application Server ABAP, ABAP Platform, SAP Business Warehouse, and SAP Knowledge Management.