Overview
SAP’s security patch day for June 2024 has seen the release of 11 OSS SAP security notes. Two have been classified as high, seven as medium, and two as low based on CVSS v3.0 Rating.
Two notes have been released for:
- SAP S/4HANA
- SAP NetWeaver AS ABAP
- SAP BusinessObjects
- SAP NetWeaver AS JAVA
Single notes have been released for:
- SAP BW/4HANA
- SAP CRM
- SAP Document Builder
- SAP Financial Consolidation
- SAP Student Life Cycle Management
- SAP NetWeaver AS ABAP
- SAP BusinessObjects
Vulnerabilities: June 2024 Highlights
[CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) (SAP Note 3460407)
Due to unrestricted access to the Meta Model Repository services in SAP NetWeaver AS Java, attackers can perform DoS attacks on the application, which may prevent legitimate users from accessing it.
[CVE-2024-37177] Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation (SAP Note 3457592)
This Security note addresses two vulnerabilities in SAP Financial Consolidation. SAP Financial Consolidation allows data to enter a Web application through an untrusted source and SAP Financial Consolidation does not sufficiently encode user-controlled inputs, resulting in Cross-Site Scripting (XSS) vulnerability.
About this Review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
