{"id":12257,"date":"2024-11-21T11:58:10","date_gmt":"2024-11-21T09:58:10","guid":{"rendered":"https:\/\/www.inprosec.com\/?p=12257"},"modified":"2024-11-21T11:58:10","modified_gmt":"2024-11-21T09:58:10","slug":"sap-security-notes-november-2024","status":"publish","type":"post","link":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/","title":{"rendered":"SAP Security Notes, November 2024"},"content":{"rendered":"

Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems.<\/strong><\/p>\n\n

November 2024 notes<\/h2>\n

Summary and highlights of the month<\/h3>\n
The total number of notes\/patches has been 10, which is 3 less than last month. This month, there were no HotNews, the same as last month. On the other hand, it is noteworthy that the number of high-criticality notes has decreased compared to last month: 2 this month. As always, we will leave medium and low notes unreviewed, but we will provide details for a total of 2 notes<\/b> (all those with a CVSS of 7<\/b> or higher).<\/div>\n

 <\/p>\n

We have a total of 10 notes<\/b> for the entire month (the 10 from Patch Tuesday, 8 new and 2 updates).<\/p>\n

We will review in detail a total of 2 notes, the high notes of this month, which consist of 1 update and 1 new note (those with a CVSS of 7 or higher).<\/p>\n

    \n
  1. \n
    The most critical note of the month (<\/b>with CVSS <\/b>8.8<\/b><\/span>)<\/b> is a high-priority note related to “Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher”<\/b>.<\/div>\n<\/li>\n
  2. \n
    The next in criticality (CVSS<\/b> 7.7<\/b><\/span>)<\/b> is an update to the note published in July of this year, related to “Multiple vulnerabilities in SAP Enterprise Project Connection”<\/b>.<\/div>\n<\/li>\n
  3. \n
    This month, the most prevalent type is related to “Missing Authorization check in SAP”<\/b> (4\/10 on Patch Day).<\/div>\n<\/li>\n<\/ol>\n

    In the chart, we can see the classification of the November notes<\/u><\/b>, along with the evolution and classification of the past 5 months (only notes from Sec. Tuesday \/ Patch Day \u2013 by SAP):<\/p>\n

     <\/p>\n

    \"\"<\/p>\n

    Full details<\/h3>\n

    The complete detail of the most relevant notes<\/strong> is as follows:<\/p>\n

      \n
    1. Cross-Site Scripting (XSS) vulnerability in SAP Web Dispatcher(3520281)<\/u>:\u00a0An unauthenticated attacker can create a malicious link that, when executed in the victim’s browser (XXS) or transmitted to another server (SSRF), gives the attacker the ability to execute arbitrary code on the server, totally compromising confidentiality, integrity and availability. CVSS v3<\/b>\u00a0Base Score<\/b>\u00a08,8<\/b><\/span>\/ 10 [CVE-2024-47590]<\/b><\/li>\n
    2. <\/b>Update – Missing Authorization check in SAP PDCE(3483344)<\/u>:\u00a0Elements of PDCE does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This allows an attacker to read sensitive information causing high impact on the confidentiality of the application The update contains corrections for SEM-BW 602 to SEM-BW 748\u00a0.CVSS v3\u00a0Base Score<\/b>\u00a07,7<\/b><\/span>\/ 10 [CVE-2024-39592].<\/b><\/li>\n<\/ol>\n

      Reference links<\/strong><\/h3>\n

      Other references, from SAP and Onapsis (november):<\/p>\n

      SAP Security Patch Day \u2013 November 2024<\/a><\/u><\/p>\n

      SAP Patch Day: November 2024 – Onapsis<\/a><\/p>\n

      Recursos afectados<\/strong><\/h2>\n

       <\/p>\n

      Resources affected<\/u><\/strong><\/p>\n

      \n
        \n
      • SAP Web Dispatcher, Versions \u2013 WEBDISP 7.77, 7.89, 7.93, KERNEL 7.77, 7.89, 7.93, 9.12, 9.13<\/li>\n
      • SAP PDCE, Version \u2013 S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108<\/li>\n
      • \n
        SAP NetWeaver AS Java (System Landscape Directory), Versions \u2013 LM-SLD 7.5<\/div>\n<\/li>\n
      • \n
        SAP NetWeaver Application Server Java (Logon Application), Versions \u2013 SERVERCORE 7.5<\/div>\n<\/li>\n
      • \n
        SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions \u2013 KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, 8.04, KERNEL 7.22, 7.53, 7.54, 7.77, 7.89, 7.93, 8.04, 9.12, 9.13<\/div>\n<\/li>\n
      • \n
        SAP NetWeaver Java (Software Update Manager), Versions – SUM 1.1<\/div>\n<\/li>\n
      • \n
        SAP Cash Management (Cash Operations), Version – S4CORE 103, 104, 105, 106, 107, 108<\/div>\n<\/li>\n
      • \n
        SAP Bank Account Management, Version – 100, 101, 102, 103, 104, 105, 106, 107, 108<\/div>\n<\/li>\n<\/ul>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

        Inprosec through its services, such as the SAP Security Assessment, helps its customers to improve the security levels of their SAP systems. November 2024 notes Summary and highlights of the month The total number of notes\/patches has been 10, which is 3 less than last month. This month, there were no HotNews, the same as…<\/p>\n","protected":false},"author":6,"featured_media":12259,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"inline_featured_image":false,"footnotes":""},"categories":[95,61],"tags":[150],"class_list":["post-12257","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-sap-notes","category-sap-security-en-2","tag-sap-notes"],"acf":[],"yoast_head":"\nSAP Security Notes, November 2024 - Inprosec<\/title>\n<meta name=\"description\" content=\"All updates to SAP systems notes from November 2024, to stay current and improve the security levels of your SAP systems.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SAP Security Notes, November 2024\" \/>\n<meta property=\"og:description\" content=\"All updates to SAP systems notes from November 2024, to stay current and improve the security levels of your SAP systems.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/\" \/>\n<meta property=\"og:site_name\" content=\"Inprosec\" \/>\n<meta property=\"article:published_time\" content=\"2024-11-21T09:58:10+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/11\/notas-sap-noviembre-2024.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"1200\" \/>\n\t<meta property=\"og:image:height\" content=\"630\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Fernando Mosquera\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Fernando Mosquera\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/\"},\"author\":{\"name\":\"Fernando Mosquera\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"headline\":\"SAP Security Notes, November 2024\",\"datePublished\":\"2024-11-21T09:58:10+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/\"},\"wordCount\":477,\"commentCount\":0,\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/notas-sap-noviembre-2024.jpg\",\"keywords\":[\"SAP Notes\"],\"articleSection\":[\"SAP Notes\",\"SAP Security\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/\",\"name\":\"SAP Security Notes, November 2024 - Inprosec\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/notas-sap-noviembre-2024.jpg\",\"datePublished\":\"2024-11-21T09:58:10+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\"},\"description\":\"All updates to SAP systems notes from November 2024, to stay current and improve the security levels of your SAP systems.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/#primaryimage\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/notas-sap-noviembre-2024.jpg\",\"contentUrl\":\"https:\\\/\\\/www.inprosec.com\\\/wp-content\\\/uploads\\\/2024\\\/11\\\/notas-sap-noviembre-2024.jpg\",\"width\":1200,\"height\":630},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/sap-security-notes-november-2024\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SAP Security Notes, November 2024\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#website\",\"url\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/\",\"name\":\"Inprosec\",\"description\":\"Information security is our priority.\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.inprosec.com\\\/en\\\/#\\\/schema\\\/person\\\/b05a40c0c3e81b819075dd95a10532e2\",\"name\":\"Fernando Mosquera\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g\",\"caption\":\"Fernando Mosquera\"}}]}<\/script>\n<!-- \/ Yoast SEO Premium plugin. -->","yoast_head_json":{"title":"SAP Security Notes, November 2024 - Inprosec","description":"All updates to SAP systems notes from November 2024, to stay current and improve the security levels of your SAP systems.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/","og_locale":"en_US","og_type":"article","og_title":"SAP Security Notes, November 2024","og_description":"All updates to SAP systems notes from November 2024, to stay current and improve the security levels of your SAP systems.","og_url":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/","og_site_name":"Inprosec","article_published_time":"2024-11-21T09:58:10+00:00","og_image":[{"width":1200,"height":630,"url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/11\/notas-sap-noviembre-2024.jpg","type":"image\/jpeg"}],"author":"Fernando Mosquera","twitter_card":"summary_large_image","twitter_misc":{"Written by":"Fernando Mosquera","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/#article","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/"},"author":{"name":"Fernando Mosquera","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"headline":"SAP Security Notes, November 2024","datePublished":"2024-11-21T09:58:10+00:00","mainEntityOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/"},"wordCount":477,"commentCount":0,"image":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/11\/notas-sap-noviembre-2024.jpg","keywords":["SAP Notes"],"articleSection":["SAP Notes","SAP Security"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/","url":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/","name":"SAP Security Notes, November 2024 - Inprosec","isPartOf":{"@id":"https:\/\/www.inprosec.com\/en\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/#primaryimage"},"image":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/#primaryimage"},"thumbnailUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/11\/notas-sap-noviembre-2024.jpg","datePublished":"2024-11-21T09:58:10+00:00","author":{"@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2"},"description":"All updates to SAP systems notes from November 2024, to stay current and improve the security levels of your SAP systems.","breadcrumb":{"@id":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/#primaryimage","url":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/11\/notas-sap-noviembre-2024.jpg","contentUrl":"https:\/\/www.inprosec.com\/wp-content\/uploads\/2024\/11\/notas-sap-noviembre-2024.jpg","width":1200,"height":630},{"@type":"BreadcrumbList","@id":"https:\/\/www.inprosec.com\/en\/sap-security-notes-november-2024\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.inprosec.com\/en\/"},{"@type":"ListItem","position":2,"name":"SAP Security Notes, November 2024"}]},{"@type":"WebSite","@id":"https:\/\/www.inprosec.com\/en\/#website","url":"https:\/\/www.inprosec.com\/en\/","name":"Inprosec","description":"Information security is our priority.","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.inprosec.com\/en\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/www.inprosec.com\/en\/#\/schema\/person\/b05a40c0c3e81b819075dd95a10532e2","name":"Fernando Mosquera","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/199e6c54b14f5b5ddf7e11a9bb0b455c3bed7a9a1a738b7be5c2572878e69d1a?s=96&d=mm&r=g","caption":"Fernando Mosquera"}}]}},"_links":{"self":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/12257","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/comments?post=12257"}],"version-history":[{"count":1,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/12257\/revisions"}],"predecessor-version":[{"id":12261,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/posts\/12257\/revisions\/12261"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media\/12259"}],"wp:attachment":[{"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/media?parent=12257"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/categories?post=12257"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.inprosec.com\/en\/wp-json\/wp\/v2\/tags?post=12257"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}