SAP Security Patch Day

SAP Security Patch Day – March 2024

This post shares information on Security Notes that remediates vulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.

On 12th of March 2024, SAP Security Patch Day saw the release of 10 new Security Notes. Further, there were 2 updates to previously released Security Notes.

Note#	Title	Priority	CVSS
2622660	Update to Security Note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product - SAP Business Client, Versions - 6.5, 7.0, 7.70	Hot News	10.0
3425274	[CVE-2019-10744] Code Injection vulnerability in applications built with SAP Build Apps Product - SAP Build Apps, Versions < 4.9.145	Hot News	9.4
3433192	[CVE-2024-22127] Code Injection vulnerability in SAP NetWeaver AS Java (Administrator Log Viewer plug-in) Product - SAP NetWeaver AS Java (Administrator Log Viewer plug-in), Version - 7.50	Hot News	9.1
3346500	Update to Security Note released on August 2023 Patch Day: [CVE-2023-39439] Improper authentication in SAP Commerce Cloud Product - SAP Commerce, Versions – HY_COM 2105, HY_COM 2205, COM_CLOUD 2211	High	8.8
3410615	[CVE-2023-44487] Denial of service (DOS) in SAP HANA XS Classic and HANA XS Advanced Product- SAP HANA Database, Version – 2.0 Product- SAP HANA Extended Application Services Advanced (XS Advanced), Version – 1.0	High	7.5
3414195	[CVE-2023-50164] Path Traversal Vulnerability in SAP BusinessObjects Business Intelligence Platform (Central Management Console) Product - SAP BusinessObjects Business Intelligence Platform (Central Management Console), Versions - 4.3	High	7.2
3377979	[CVE-2024-27902] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP, applications based on SAPGUI for HTML (WebGUI) Product – SAP NetWeaver AS ABAP applications based on SAPGUI for HTML (WebGUI), Versions – 7.89, 7.93	Medium	5.4
3425682	[CVE-2024-25644] Information Disclosure vulnerability in SAP NetWeaver (WSRM) Product - NetWeaver (WSRM), Versions – 7.50	Medium	5.3
3428847	[CVE-2024-25645] Information Disclosure vulnerability in SAP NetWeaver (Enterprise Portal) Product - SAP NetWeaver (Enterprise Portal), Version – 7.50	Medium	5.3
3434192	[CVE-2024-28163] Information Disclosure vulnerability in SAP NetWeaver Process Integration (Support Web Pages) Product - SAP NetWeaver Process Integration (Support Web Pages), Versions – 7.50	Medium	5.3
3417399	[CVE-2024-22133] Improper Access Control in SAP Fiori Front End Server Product – SAP Fiori Front End Server, Version – 605	Medium	4.6
3419022	[CVE-2024-27900] Missing Authorization check in SAP ABAP Platform Product - SAP ABAP Platform, Versions – 758, 795	Medium	4.3

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.

Archived blogs from previous years are available here.

If you have any comments or feedback about this post, you can write to secure@sap.com.

SAP is committed to deliver trustworthy products and cloud services. Secure configuration is essential to ensure secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.