SAP Security Patch Day – July 2024

This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.

On 9th of July 2024, SAP Security Patch Day saw the release of 16 new Security Notes. Further, there were 2 updates to previously released Security Notes.

Note#

Title

Priority

CVSS

3483344

[CVE-2024-39592] Missing Authorization check in PDCE
Product - SAP PDCE, Version – S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108

High

7.7

3490515

[CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce
Product - SAP Commerce, Version – HY_COM 2205, COM_CLOUD 2211

High

7.2

3466801

[CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management

Product- SAP Landscape Management, Version - VCM 3.00

Medium

6.9

3459379

Update to Security Note released on June 2024 Patch Day:

[CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)

Product- SAP Document Builder, Versions - S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748

Medium

6.5

3468681

[CVE-2024-34685] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor

Product- SAP NetWeaver Knowledge Management XMLEditor, Version – KMC-WPC 7.50

Medium 

6.1

3467377

[Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI)

CVEs - CVE-2024-37173, CVE-2024-37174, CVE-2024-39598,

CVE-2024-37175

Product- SAP CRM WebClient UI, Versions – S4FND 102, 103, 104, 105, 106, 107, 108, WEBCUIF 701, 731, 746, 747, 748, 800, 801

Medium 

6.1

3482217

[CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation

Additional CVE - CVE-2024-39595

Product- SAP Business Warehouse - Business Planning and Simulation, Versions - SAP_BW 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, SAP_BW_VIRTUAL_COMP 701

Medium 

6.1

3457354

[CVE-2024-37172] Missing Authorization check in SAP S/4HANA Finance (Advanced Payment Management)
Product - SAP S/4HANA Finance (Advanced Payment Management), Versions – S4CORE 107, 108

Medium

5.4

3458789  

[CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)
Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium 

5.0  

3483993  

[CVE-2024-34689] Prerequisite for Security Note 3458789
Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium 

5.0  

3485805  

[CVE-2024-34689] Allowlisting of callback-URLs in SAP Business Workflow (WebFlow Services)
Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium 

5.0  

3461110

[CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for Windows
Product – SAP GUI for Windows, Version – BC-FES-GUI 8

Medium

5.0

3469958

[CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal)
Product – SAP Transportation Management (Collaboration Portal), Versions – SAPTMUI 140, 150, 160, 170

Medium

5.0

3456952

[CVE-2024-39599] Protection Mechanism Failure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product – SAP NetWeaver Application Server for ABAP and ABAP Platform, Version – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 795, SAP_BASIS 796

Medium

4.7

3476348

[CVE-2024-39596] Missing Authorization check vulnerability in SAP Enable Now
Product – SAP Enable Now, Versions – WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704

Medium

4.3

3454858

[CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product – SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758

Medium

4.1

3101986

Update to Security Note released on April 2022 Patch Day:

Enable CSP support for OP1909 in SAP CRM WebClient UI
Product – SAP CRM WebClient UI, Versions – S4FND 104

Medium

4.1

3476340

[CVE-2024-34692] Unrestricted File upload vulnerability in SAP Enable Now
Product – SAP Enable Now, Versions – WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704

Low

3.3

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.

 

SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.

 

Archived blogs from previous years are available here.

 

If you have any comments or feedback about this post, you can write to secure@sap.com.