SAP Security Notes, April 2024

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.

April 2024 notes

Summary and highlights of the month

The total number of notes/patches this month was 12, the same as last month. There were no Hot News this month, unlike the 3 from last month. Additionally, it’s important to note that the number of critical notes has also remained the same as last month: 3 this month. As usual, we will leave the medium and low severity notes unchecked, but we will provide details of a total of 3 notes (all those with a CVSS of 7 or higher).

We have a total of 12 notes for the entire month (the 12 from Patch Tuesday, 10 new and 2 updates).

We will review in detail a total of 3 notes, all 3 corresponding to the high severity notes: the 3 are new (those with a CVSS score of 7 or higher).

1. The most critical note of the month (with a CVSS of 8.8) is a new note related to “Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine.”
2. The next in terms of severity (CVSS 7.7) is another high note related to “Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence.”
3. The following in severity (with a CVSS 7.2), is another high note related to “Directory Traversal vulnerability in SAP Asset Accounting.”
4. This month, the most predominant type is related to “Missing Authorization check in SAP S/4 HANA” (2/12 on patch day).

In the graph, we can see the classification of the April notes, as well as the evolution and classification of the last 5 months (only the notes from Sec. Tuesday / Patch Day – by SAP).

Full details

The complete detail of the most relevant notes is as follows:

1. Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine (3434839): The ‘Self-Registration’ and ‘Modify your own profile’ feature in the NetWeaver AS Java User Admin application lacks the necessary security requirements, which could allow an attacker to compromise data confidentiality. It is recommended that you upgrade your NW Java application server to a version or Service Pack (SP) that has addressed this specific issue. CVSS v3 Base Score: 8,8 / 10 [CVE-2024-27899].
2.  Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence Product (3421384): Due to improper validation, SAP Business Object Business Intelligence Launch Pad has a vulnerability that allows an authenticated attacker to access operating system information through a manipulated document. This could compromise the confidentiality of the application. As an interim measure, SAP recommends removing the Excel data access service from all adaptive processing servers to mitigate this risk. CVSS v3 Base Score: 7,7/ 10 [CVE-2024-25646].
3. Directory Traversal vulnerability in SAP Asset Accounting (3438234): SAP Asset Accounting has a vulnerability that could allow an attacker with elevated privileges to exploit insufficient validation of routing information provided by users, affecting the confidentiality, integrity and availability of the application. As a workaround, SAP recommends assigning an authorization group to the RAALTE00 and RAALTD01 programs, ensuring that they can only be executed by users with special privileges.CVSS v3 Base Score: 7,2 / 10 [CVE-2024-27901].

Reference links

Other references, from SAP and Onapsis (April):

Digital Library (sap.com)

SAP Patch Day: April 2024 – Onapsis

Resources affected