SAP Security Notes Review: April 2024

Overview

SAP’s security patch day for April 2024 has seen the release of 12 OSS SAP security notes. Three notes have been classified as high and nine as medium based on CVSS v3.0 Rating.

Five notes have been released for:

• SAP S/4HANA

Two notes have been released for:

• SAP NetWeaver AS ABAP
• SAP NetWeaver AS JAVA

Single notes have been released for:

• SAP Integration Suite
• SAP Business Connector
• SAP BusinessObjects

Vulnerabilities: April 2024 Highlights

[CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting (SAP Note 3438234)

SAP Asset Accounting could allow a highly privileged attacker to exploit insufficient validation of path information provided by the users and pass it through to the file APIs.

[CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine (SAP Note 3434839)

‘Self-Registration’ and ‘Modify your own profile’ in the User Admin Application of NetWeaver AS Java do not enforce proper security requirements for the content of the newly defined security answer.

[CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence (SAP Note 3421384)

Due to improper validation, SAP BusinessObject Business Intelligence Launch Pad allows an authenticated attacker to access operating system information using crafted documents.

About this Review

On the second Tuesday of each month, SAP release security updates to their software products. At Applexus, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.

There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.