SAP’s September 2024 security update addresses several key vulnerabilities, including a high-priority information disclosure flaw in SAP Commerce Cloud that could expose Personally Identifiable Information (PII). The patches also fix multiple Cross-Site Scripting (XSS) and authorization vulnerabilities across SAP NetWeaver, CRM, and Enterprise Portal, requiring immediate attention from administrators.
This advisory summarizes the most significant vulnerabilities SAP addressed in its September 10, 2024 security patch release. The most critical patch, an update to Note 3459935, corrects a high-priority information disclosure vulnerability in SAP Commerce Cloud where sensitive data like passwords could be exposed in URL parameters. Additionally, SAP patched several medium-priority flaws. Note 3505503 resolves a Cross-Site Scripting (XSS) issue in the SAP NetWeaver AS Java logon application. Further XSS vulnerabilities were addressed in SAP CRM and SAP Enterprise Portal under notes 3501359 and 3498221. Finally, note 3488039 deals with multiple missing authorization checks in SAP NetWeaver AS ABAP and ABAP Platform. Organizations are advised to review and apply these security notes to protect their SAP landscapes from potential exploitation.
Key Takeaways
- A high-priority Information Disclosure vulnerability (Note 3459935) in SAP Commerce Cloud could expose sensitive PII.
- A Cross-Site Scripting (XSS) flaw (Note 3505503) was patched in the SAP NetWeaver AS Java logon application.
- Multiple missing authorization vulnerabilities (Note 3488039) were fixed in SAP NetWeaver AS ABAP.
- Additional XSS vulnerabilities were addressed in SAP CRM and SAP Enterprise Portal (Notes 3501359 & 3498221).
- Patches are available for both cloud and on-premise editions for the Commerce Cloud vulnerability.
- Workarounds are available for several notes if patches cannot be immediately applied.
September 2024 SAP Security Note Details
The table below outlines the key vulnerabilities addressed in the September 2024 security notes.
| SAP Note | Vulnerability Type | Affected Product(s) | Priority |
|---|---|---|---|
| 3459935 | Information Disclosure | SAP Commerce Cloud | High |
| 3505503 | Cross-Site Scripting (XSS) | SAP NetWeaver AS Java | Medium |
| 3488039 | Missing Authorization | SAP NetWeaver AS ABAP / ABAP Platform | Medium |
| 3501359 | Cross-Site Scripting (XSS) | SAP CRM | Medium |
| 3498221 | Cross-Site Scripting (XSS) | SAP Enterprise Portal | Medium |
What Was the Highest Priority Vulnerability?
Note 3459935: Information Disclosure in SAP Commerce Cloud
The most significant patch was an update to SAP Note 3459935, which addresses a high-priority information disclosure vulnerability in SAP Commerce Cloud. The flaw allowed Personally Identifiable Information (PII), such as passwords, to be included in the request URL for some OCC API endpoints. This could lead to the exposure of sensitive data in logs or browser history. The note provides patches for both cloud and on-premise editions and includes details on a workaround if the corrections cannot be implemented immediately.
What Cross-Site Scripting (XSS) Flaws Were Patched?
SAP addressed three separate XSS vulnerabilities:
- Note 3505503: This note patches an XSS vulnerability in the logon application of SAP NetWeaver Application Server (AS) Java. The issue stemmed from insufficient encoding of user-controlled inputs, which could allow malicious scripts to be executed.
- Notes 3501359 & 3498221: These notes resolve similar XSS vulnerabilities in SAP CRM and SAP Enterprise Portal, respectively, protecting them from script injection attacks.
What Authorization Vulnerabilities Were Addressed?
Note 3488039: Missing Authorizations in SAP NetWeaver AS ABAP
This note corrects multiple missing authorization vulnerabilities in SAP NetWeaver Application Server (AS) ABAP and the ABAP Platform. The affected function modules are within the SMTRNAVIGATIONMODULESBX function group. The note provides a workaround that involves withdrawing specific SRFC permissions to mitigate the risk until the patch can be applied.
Frequently Asked Questions (FAQ)
What is the most critical SAP vulnerability for September 2024?
The most critical vulnerability is a high-priority Information Disclosure flaw in SAP Commerce Cloud (Note 3459935), which could expose sensitive user data like passwords in URLs.
What is a Cross-Site Scripting (XSS) vulnerability?
A Cross-Site Scripting (XSS) vulnerability is a security flaw that allows an attacker to inject malicious scripts into web pages viewed by other users. This can lead to session hijacking, data theft, or defacing the website.
How should I apply these patches?
SAP releases security notes on the second Tuesday of every month, known as Patch Day. It is strongly recommended that customers visit the SAP Support Portal to review the notes and apply the necessary patches to protect their SAP landscape.