SAP’s March 2024 security updates addressed several critical and high-priority vulnerabilities requiring attention from administrators. The patches included two “Hot News” notes for code injection flaws in SAP Build Apps and SAP NetWeaver AS Java, alongside high-priority fixes for path traversal in BusinessObjects, Denial-of-Service in HANA XS, and an authentication flaw in SAP Commerce Cloud.
This summary provides an optimized overview of the key vulnerabilities patched in March 2024. The most critical updates involved two “Hot News” notes, indicating severe risks. Note 3425274 fixed a code injection vulnerability in SAP Build Apps, while note 3433192 addressed a similar flaw in the Administrator Log Viewer for SAP NetWeaver AS Java. Additionally, SAP released important patches for other products. Note 3414195 corrected a high-priority path traversal vulnerability in SAP BusinessObjects related to a known Apache Struts issue (CVE-2023-50164). A Denial-of-Service (DoS) vulnerability in SAP HANA XS, triggered by excessive HTTP/2 requests, was patched under note 3410615. Finally, note 3346500 was updated to fix a high-risk authentication weakness in SAP Commerce Cloud by preventing the use of empty passphrases. Applying these patches is crucial for securing SAP landscapes against these identified threats.
Key Takeaways
- A critical code injection flaw was patched in SAP Build Apps (Note 3425274).
- A “Hot News” note fixed a code injection vulnerability in SAP NetWeaver AS Java (Note 3433192).
- A high-priority path traversal vulnerability in SAP BOBJ was addressed (Note 3414195).
- A Denial-of-Service vulnerability affecting SAP HANA XS was corrected (Note 3410615).
- An authentication flaw in SAP Commerce Cloud was fixed to prevent empty passphrases (Note 3346500).
What Were the “Hot News” Notes for March 2024?
The two most critical patches were released as “Hot News” notes, signifying urgent risks.
- Note 3425274 addressed a critical code injection vulnerability in applications developed using SAP Build Apps. The official recommendation is to rebuild any affected applications with version 4.9.145 or a later release to mitigate the threat.
- Note 3433192 patched a code injection vulnerability within the Administrator Log Viewer plug-in of SAP NetWeaver AS Java. This flaw allowed authenticated administrators to upload malicious files, potentially leading to arbitrary command execution. The fix blocks dangerous file types and adds support for virus scanning of uploads.
March 2024 SAP Security Note Summary
The table below summarizes the key security notes released by SAP in March 2024, as reported by Layer Seven Security.
| Note Number | Priority | Vulnerability Type | Affected Product(s) | Summary of Fix |
|---|---|---|---|---|
| 3425274 | Hot News | Code Injection | SAP Build Apps | Rebuild applications with version 4.9.145 or later. |
| 3433192 | Hot News | Code Injection | SAP NetWeaver AS Java | Blocked upload of dangerous file types and added virus scan support. |
| 3414195 | High | Path Traversal | SAP BusinessObjects (BOBJ) | Applied patches to address CVE-2023-50164 in a vulnerable Apache Struts version. |
| 3410615 | Reported | Denial-of-Service | SAP HANA XS | Patch applied; a workaround is to disable the HTTP/2 protocol. |
| 3346500 | High-Risk | Authentication | SAP Commerce Cloud | Changed default property to prevent the use of empty passphrases. |
What Was the Path Traversal Vulnerability in SAP BusinessObjects?
Note 3414195 addressed a high-priority path traversal vulnerability in the Central Management Console of SAP BusinessObjects Business Intelligence (BOBJ) for versions 4.3 SP02 through SP05. The vulnerability was caused by an outdated and vulnerable version of Apache Struts included with BOBJ, which was susceptible to the exploit registered as CVE-2023-50164. The note provides support package patches to correct the issue.
How Was the Denial-of-Service Vulnerability in SAP HANA XS Addressed?
Note 3410615 corrected a Denial-of-Service (DoS) vulnerability that impacted SAP HANA XS. The DoS condition could be triggered by sending a high volume of HTTP/2 requests to the server; the HTTP/1 protocol was not affected. As a temporary workaround, administrators can disable HTTP/2 support by setting the Web Dispatcher parameter icm/HTTP/support_http2 to false.
What Was the Authentication Vulnerability in SAP Commerce Cloud?
Note 3346500 was updated with a revised solution for a high-risk authentication vulnerability in SAP Commerce Cloud. The fix changes the default value of the user.password.acceptEmpty property to false, which prevents users from authenticating with an empty passphrase and strengthens security.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability patched in March 2024?
Two “Hot News” notes were released. Note 3425274 addressed a critical code injection in SAP Build Apps, and note 3433192 fixed a code injection flaw in the SAP NetWeaver AS Java Log Viewer.
What was the SAP BOBJ vulnerability related to?
It was a high-priority path traversal vulnerability (CVE-2023-50164) in the Central Management Console, caused by a vulnerable version of Apache Struts included in the platform.
Is there a workaround for the SAP HANA XS DoS vulnerability?
Yes, a workaround is available for the Denial-of-Service vulnerability (Note 3410615). Administrators can disable the HTTP/2 protocol by setting the Web Dispatcher parameter icm/HTTP/support_http2 to false.