SAP’s April 2024 Security Patch Day addressed 10 new security notes, including three high-priority vulnerabilities. The most critical note, 3434839, tackles a security misconfiguration in SAP NetWeaver AS Java that could allow for weak passwords. Other significant patches address an information disclosure flaw in SAP BusinessObjects and a directory traversal vulnerability in SAP Asset Accounting.
Executive Summary
SAP’s security updates for April 2024 featured three high-priority notes that require attention from administrators. The most severe is a misconfiguration in the User Management Engine (UME) of SAP NetWeaver AS Java (Note 3434839), where user self-registration processes failed to enforce password complexity rules. Another high-priority issue (Note 3421384) was an information disclosure vulnerability in SAP BusinessObjects Web Intelligence, which could allow attackers to access sensitive OS information by exploiting how Excel files are processed. The third high-priority note (3438234) addressed a directory traversal vulnerability in SAP Asset Accounting, caused by insufficient validation of path information. SAP has released patches for all vulnerabilities and provided temporary workarounds, such as disabling certain features or applying specific authorization controls, for organizations unable to patch immediately.
Key Takeaways
- A high-priority misconfiguration in SAP NetWeaver AS Java allowed weak passwords.
- An information disclosure flaw in SAP BusinessObjects exposed sensitive OS data.
- A directory traversal vulnerability was patched in SAP Asset Accounting.
- SAP released patches and workarounds for all major vulnerabilities.
- A total of 10 new security notes were released in April 2024.
What Were the High-Priority SAP Security Notes for April 2024?
The April 2024 SAP Patch Day included three high-priority notes addressing vulnerabilities in NetWeaver AS Java, BusinessObjects, and Asset Accounting. The most critical, with a CVSS score of 8.8, was a security misconfiguration in the User Management Engine.
| Note | Title | Vulnerability Type | Affected Product(s) | Priority |
|---|---|---|---|---|
| 3434839 | Security Misconfiguration in User Management Engine | Security Misconfiguration | SAP NetWeaver AS Java 7.50 | High |
| 3421384 | Information Disclosure in Web Intelligence | Information Disclosure | SAP BusinessObjects Business Intelligence | High |
| 3438234 | Directory Traversal in SAP Asset Accounting | Directory Traversal | SAP Asset Accounting | High |
What Was the High-Priority Misconfiguration in SAP NetWeaver AS Java? (Note 3434839)
SAP Note 3434839 addresses a high-priority security misconfiguration in the User Management Engine (UME) of SAP NetWeaver AS Java, version 7.50. The vulnerability allowed user passwords created via self-registration to bypass the defined password complexity requirements. This could lead to the use of weak passwords, increasing the risk of account compromise. The official fix involves updating the affected software components to the versions specified in the note. As a temporary workaround, SAP recommends disabling user self-registration and the ability for users to modify their own profiles.
How Did an Information Disclosure Vulnerability Affect SAP BusinessObjects? (Note 3421384)
SAP Note 3421384 patches a high-priority information disclosure vulnerability in the Web Intelligence application of SAP BusinessObjects Business Intelligence. The flaw could enable an attacker to access sensitive operating system information through the reading of arbitrary Excel files. To address the vulnerability, SAP has provided support package patches. For those unable to apply the patch immediately, a workaround is available: removing the “Excel Data Access” service from all Adaptive Processing Servers can mitigate the risk.
What Directory Traversal Flaw Was Patched in SAP Asset Accounting? (Note 3438234)
SAP Note 3438234 resolves a directory traversal vulnerability in SAP Asset Accounting. This issue was caused by insufficient validation of user-provided path information, which could allow a privileged attacker to misuse file APIs and potentially disrupt application operations. The correction provided by SAP ensures that path information is properly verified against logical filenames. As a temporary mitigation, the vulnerable programs, RAALTE00 and RAALTD01, can be protected by assigning them to specific authorization groups to restrict execution.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability in April 2024?
The most critical vulnerability was a high-priority security misconfiguration in SAP NetWeaver AS Java (Note 3434839), which allowed weak passwords for self-registered users and received a CVSS score of 8.8.
Are there workarounds for the April 2024 SAP vulnerabilities?
Yes, SAP provided temporary workarounds for all three major vulnerabilities. These include disabling user self-registration for the NetWeaver flaw, removing the Excel Data Access service for the BusinessObjects issue, and using authorization groups to protect programs for the Asset Accounting vulnerability.
Which SAP products were affected by the April 2024 security notes?
The high-priority notes affected SAP NetWeaver AS Java 7.50, SAP BusinessObjects Business Intelligence, and SAP Asset Accounting. Other medium-severity notes impacted products like Integration Suite, Group Reporting Data Collection, and S/4HANA.