SAP Patches 19 Vulnerabilities in September 2024 Patch Day

Stay updated on SAP vulnerabilities with the September 2024 Patch Day, addressing critical security issues and enhancing system protection.
September 2024 Patch Day


In September 2024, SAP took significant steps to enhance the security of its systems by releasing nineteen new and updated security notes. These updates are crucial for addressing vulnerabilities across various SAP products, ensuring that organizations can protect their sensitive data from potential threats.

Among the notable updates was HotNews Note #3479478, which received a high CVSS score of 9.8. This note addresses a critical missing authentication check vulnerability in the SAP BusinessObjects Business Intelligence Platform. This vulnerability posed a serious risk, allowing unauthorized access to sensitive data. Initially released in August, the updated note includes workaround solutions for users who may not be able to apply the patch immediately, extending the fix to the Enterprise software release 420.

Additionally, the High Priority Note #3459935, with a CVSS score of 7.4, tackles an information disclosure vulnerability in SAP Commerce Cloud. This update revised the recommended fix from Release 2211.27 to Release 2211.28, highlighting SAP's commitment to proactive security measures.

Key Vulnerabilities Addressed

SAP's September Patch Day focused on several critical vulnerabilities, including:

  1. Cross-Site Scripting (XSS) vulnerabilities in eProcurement on S/4HANA and the CRM Blueprint Application Builder Panel. These vulnerabilities, documented in SAP Security Notes #3497347 and #3501359, both rated at a CVSS score of 6.1, could allow attackers to inject malicious scripts, potentially compromising user data.
  2. A missing authorization check in SAP Production and Revenue Accounting was addressed in SAP Security Note #3488341. This vulnerability could allow unauthorized users to access sensitive information through a remote-enabled function module, but the patch now restricts access to authorized users only.
  3. SAP Security Note #3488039 addressed six additional vulnerabilities in RFC-enabled function modules, which could disrupt user access to SAP GUI. One significant vulnerability, tracked under CVE-2024-45285, could allow a low-privileged attacker to block a specific user from accessing SAP GUI by sending a crafted packet.

The role of Onapsis Research Labs was pivotal during this patch cycle, assisting SAP in identifying and patching twelve vulnerabilities across seven security notes. Thomas Fritsch, Manager of Content and Technical Research at Onapsis emphasized the importance of ongoing collaboration with SAP to swiftly address critical vulnerabilities. This partnership is vital for maintaining the security integrity of SAP systems.

Additional Vulnerabilities Patched

Beyond the high-profile vulnerabilities, SAP also addressed several other issues:
SAP Security Note #3505293 corrected an authorization issue in SAP for Oil & Gas, preventing non-administrative users from deleting data entries, which could disrupt business processes.
Information disclosure vulnerabilities in SAP BW (BEx Analyzer) were patched in SAP Security Notes #3481588 and #3481992, ensuring that only authenticated users can access sensitive data.
Despite no new HotNews or High Priority Notes being introduced, the updates provided solutions to several critical issues, particularly in the areas of cross-site scripting and missing authorization checks. By prioritizing security, SAP helps ensure that its customers can rely on their systems without fear of exploitation or data loss.

Conclusion

The September 2024 Patch Day was a crucial event for SAP, showcasing the company's commitment to maintaining robust security measures. By addressing significant vulnerabilities and collaborating with security experts, SAP aims to protect its customers and their sensitive data from evolving cyber threats. Organizations using SAP products are encouraged to review these security notes and apply the necessary patches to safeguard their systems effectively. 
Hello, I'm Gnaneshwar Gaddam. An Electrical Engineer by Education 📚, a Tech Blogger by Passion ⚙️, and the Founder & CEO of Techrytr.in, Gnaneshwar brings over 10 years of experience in the tech industry to Hyderabad, India📍. He's passionate about sharing his insights on the Latest Tech Trends and Gadgets through clear and Engaging Content.