Overview
SAP’s security patch day for July 2024 has seen the release of 16 OSS SAP security notes. Two notes have been classified as high, 13 as medium, and one as low based on the latest CVSS v3.0 Rating. Â
Three notes have been released for:
- SAP Business Workflow
- SAP NetWeaver AS ABAP
Two notes have been released for:
- SAP S/4HANA
- SAP Enable Now
Single notes have been released for:
- SAP Commerce
- SAP Business Warehouse
- SAP Transportation Management
- SAP NetWeaver Knowledge Management
- SAP Landscape Management
- SAP GUI
Vulnerabilities: July 2024 Highlights
[CVE-2024-39597] Improper Authorisation Checks on Early Login Composable Storefront B2B sites of SAP Commerce (SAP Note 3490515)
A user can misuse the forgotten password functionality in SAP Commerce to gain access to a Composable Storefront B2B site. This activates early login and registration without requiring the merchant to approve the account beforehand.
[CVE-2024-39592] Missing Authorisation check in SAP PDCE (SAP Note 3483344)
Elements of PDCE do not perform necessary authorisation checks for an authenticated user, resulting in escalation of privileges.
[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services) (SAP Note 3458789)
WebFlow Services of SAP Business Workflow allows an authenticated attacker to enumerate accessible HTTP endpoints in the internal network by specially crafting HTTP requests.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
