SAP Security Notes Review: February 2024

Share This Post

Overview

SAP’s security patch day for February 2024 has seen the release of 11 OSS SAP security notes. One note has been classified as critical, five as high, and five as medium based on CVSS v3.0 Rating.

Three notes have been released for:

SAP NetWeaver AS ABAP

Two notes have been released for:

SAP NetWeaver AS JAVA

Single notes have been released for:

SAP Cloud Connector
SAP IDES
SAP Application Basis
S/4HANA
SAP Fiori
SAP Bank Account Management

Vulnerabilities: February 2024 Highlights

[CVE-2024-22131] Code Injection vulnerability in SAP ABA (Application Basis) (SAP Note 3420923)

A vulnerable interface can be used by an attacker hence allowing them to perform actions for which they would normally be unpermitted.

[CVE-2024-24743] XXE vulnerability in SAP NetWeaver AS JAVA (Guided Procedures) (SAP Note 3426111)

SAP NetWeaver AS JAVA allows an unauthenticated attacker to submit a malicious request with a crafted XML file over the network. When parsed by the network, this will then enable them to access sensitive files and data vulnerable to an escalation of privileges.

[CVE-2024-25642] Improper Certificate Validation in SAP Cloud Connector (SAP Note 3424610)

Due to improper validation of certificate in SAP Cloud Connector, an attacker can impersonate the genuine servers to interact with SCC and therefore break the mutual authentication.

[CVE-2024-22132] Code Injection vulnerability in SAP IDES Systems (SAP Note 3421659)

SAP IDES ECC-systems contain code that permits the execution of arbitrary program code of a user’s choice.

About this Review

On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.