Critical updates will be released on SAP Security Patch Day in August 2024

The SAP Security Patch Day in August 2024 brought to light several critical updates and vulnerabilities and highlighted the importance of regular security maintenance to protect enterprise software.

In the August 2024 release, SAP published a total of 25 new and updated security advisories. Of these, two were classified as HotNews advisories, indicating severe vulnerabilities that require immediate attention, and four were marked as high priority advisories. These updates are critical to address vulnerabilities that could otherwise compromise the confidentiality, integrity, and availability of SAP systems.

One of the most significant vulnerabilities addressed in this patch affects Node.js and affects applications built with SAP Build Apps. Due to the exposure of CVE-2024-29415, SAP has recommended rebuilding all affected applications with SAP Build Apps version 4.11.130 or later. Failure to apply this update could leave applications vulnerable to serious security breaches.

Safety instructions from August 2024 in detail

At the SAP Security Patch Day in August, several serious security vulnerabilities were identified, including:

• SAP Security Note No. 3423268: This note with a CVSS score of 7.8 resolves a security vulnerability in the Manage Supply Protection feature of SAP S/4HANA that uses the SheetJS library. The vulnerable versions of this library could expose the application to risks that affect its confidentiality, integrity, and availability. The update includes a patch for the latest version of SheetJS that mitigates these risks.
• SAP Security Note No. 3460407: This high priority note with a CVSS score of 7.5 focuses on an information disclosure vulnerability in the Meta Model Repository of SAP NetWeaver AS Java. This note was originally published in June 2024 and updated to cover additional support package levels. The provided patch addresses the vulnerability by updating the MMR_SERVER component.
• SAP Security Note No. 3479478: This HotNews note with a CVSS score of 9.8 is particularly critical. It resolves a denial-of-service (DoS) vulnerability in the SAP BusinessObjects Business Intelligence Platform. The flaw could allow unauthorized users to exploit a REST endpoint, completely compromising the confidentiality, integrity, and availability of the system.
• SAP Security Note No. 3477196: Another high-risk vulnerability was found in applications built with SAP Build Apps using a vulnerable Node.js library. With a CVSS score of 9.1, this advisory highlights the need to rebuild applications to ensure security. The consequences of not fixing this vulnerability could be severe, affecting both confidentiality and integrity.

Focus on SAP Security Patch Day

SAP Security Patch Day is an integral part of SAP's ongoing commitment to maintaining the security of its software solutions. By regularly publishing security advisories, SAP provides organizations with the tools necessary to protect their systems from potential threats. The August 2024 updates are a reminder of the importance of timely patching in the overall security strategy of any organization that uses SAP software.

Onapsis Research Labs played a critical role in the SAP Security Patch Day in August 2024 by helping to identify and remediate several vulnerabilities. Their contributions include:

• SAP Security Note No. 3485284: This high priority advisory with a CVSS score of 8.2 resolves a security vulnerability in the SAP BEx Web Java Runtime Export Web Service. The vulnerability could allow an attacker to exploit XMLForm services, causing the SAP ADS system to become unavailable.
• SAP Security Note No. 3459935: This advisory with a CVSS score of 7.4 resolves vulnerable OCC API endpoints in SAP Commerce Cloud. The vulnerability could have exposed personally identifiable information (PII) in request URLs, creating a risk of data loss.
• Other articles: Onapsis Research Labs also contributed to patching several other vulnerabilities, including issues in SAP Shared Service Framework, SAP CRM ABAP, SAP NetWeaver Application Server ABAP, and SAP Student Lifecycle Management.

The SAP Security Patch Day in August 2024 has further underlined the importance of keeping SAP systems updated with the latest security patches. With 25 new and updated security advisories, including critical updates for widely used SAP solutions, organizations must prioritize these patches to maintain the security and integrity of their systems. Regular participation in SAP Security Patch Day also ensures that vulnerabilities are fixed promptly, reducing the risk of exploitation by malicious actors.