-
Request for existing cases, user IDs, Portal navigation support and more
SAP Security Patch Day – April 2024
This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.
On 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 2 updates to previously released Security Notes.
Note# | Title | Severity | CVSS |
---|---|---|---|
3434839 | [CVE-2024-27899] Security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine Product - SAP NetWeaver AS Java User Management Engine, Versions - SERVERCORE 7.50, J2EE-APPS 7.50, UMEADMIN 7.50 | High | 8.8 |
3421384 | [CVE-2024-25646] Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence Product - SAP BusinessObjects Web Intelligence, Versions - 4.2, 4.3 | High | 7.7 |
3438234 | [CVE-2024-27901] Directory Traversal vulnerability in SAP Asset Accounting Product- SAP Asset Accounting, Versions - SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_APPL 600, SAP_FIN617, SAP_FIN 618, SAP_FIN700 | High | 7.2 |
3442741 | Stack overflow vulnerability on the component images of SAP Integration Suite (EDGE INTEGRATION CELL) Product - SAP Edge Integration Cell, Versions older than 8.13.5 | Medium | 6.8 |
3359778 | [CVE-2024-30218] Denial of service (DOS) vulnerability in SAP NetWeaver AS ABAP and ABAP Platform Product - SAP NetWeaver AS ABAP and ABAP Platform, Versions - KRNL64NUC 7.22, KRNL64NUC 7.22EXT, KRNL64UC 7.22, KRNL64UC 7.22EXT, KRNL64UC 7.53, KERNEL 7.22, KERNEL 7.53, KERNEL 7.77, KERNEL 7.85, KERNEL 7.89, KERNEL 7.54, KERNEL 7.93 | Medium | 6.5 |
3442378 | [CVE-2024-28167] Missing Authorization check in SAP Group Reporting Data Collection (Enter Package Data) Product - SAP Group Reporting Data Collection (Enter Package Data), Versions - S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108, SAP_GRDC_CLOUD 1.0.0 | Medium | 6.5 |
3164677 | Update to Security Note released on May 2022 Patch Day: [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) | Medium | 6.5 |
3156972 | Update to Security Note released on August 2023 Patch Day: [CVE-2023-40306] URL Redirection vulnerability in SAP S/4HANA (Manage Catalog Items and Cross-Catalog search) | Medium | 6.1 |
3425188 | [CVE-2024-27898] Server-Side Request Forgery in SAP NetWeaver (tc~esi~esp~grmg~wshealthcheck~ear) Product - SAP NetWeaver, Version - 7.50 | Medium | 5.3 |
3421453 | [Multiple CVEs] Cross-Site Scripting (XSS) vulnerabilities in SAP Business Connector CVEs - CVE-2024-30214, CVE-2024-30215 | Medium | 4.8 |
3427178 | [CVE-2024-30216] Missing Authorization check in SAP S/4 HANA (Cash Management) Product – SAP S/4 HANA (Cash Management), Versions – S4CORE 103, S4CORE 104, S4CORE 105, S4CORE 106, S4CORE 107, S4CORE 108 | Medium | 4.3 |
3430173 | [CVE-2024-30217] Missing Authorization check in SAP S/4 HANA (Cash Management) Product - SAP S/4 HANA (Cash Management), Versions – S4CORE 106, S4CORE 107, S4CORE 108 | Medium | 4.3 |
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
Archived blogs from previous years are available here.
If you have any comments or feedback about this post, you can write to secure@sap.com.
SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.