The SAP Security Notes for January 2024 addressed several critical vulnerabilities, including two “Hot News” privilege escalation flaws in SAP Business Application Studio and Edge Integration Cell. A high-priority Denial of Service vulnerability in SAP NetWeaver’s ICM and a code injection flaw in the Application Interface Framework were also patched.
This summary covers the key vulnerabilities and their required fixes as detailed in the January 2024 SAP Patch Day. The most significant threats involved two “Hot News” notes for privilege escalation, a high-priority Denial of Service (DoS) vulnerability, and other flaws requiring code patches or manual corrections. Note 3412456 addresses a critical privilege escalation issue (CVE-2023-49583) in applications built with SAP Business Application Studio and SAP Web IDE, which requires updating node.js library dependencies. Another critical note, 3413475, patches a separate privilege escalation flaw in SAP Edge Integration Cell, which must be mitigated by upgrading the component to version 8.9.13 as no workaround is available. Additionally, a high-priority DoS vulnerability in the SAP NetWeaver ICM was addressed in note 3389917, with a workaround to disable HTTP/2. Other patches corrected a code injection vulnerability in the SAP Application Interface Framework and a missing authorization check in the SAP LT Replication Server.
Key Takeaways
- Critical Privilege Escalation: Two “Hot News” notes (3412456, 3413475) were released to address critical privilege escalation vulnerabilities in SAP development and integration platforms.
- High-Priority DoS Flaw: A Denial of Service vulnerability (note 3389917) was patched in the Internet Communication Manager (ICM) for SAP NetWeaver and SAP Web Dispatcher.
- Varied Mitigation Steps: Fixes range from upgrading component versions and libraries to disabling specific protocols and applying manual authorization corrections.
- Broad Impact: The vulnerabilities affected a range of products, including SAP Business Application Studio, SAP Edge Integration Cell, SAP NetWeaver, and SAP S/4HANA.
- No Workaround for Some: The privilege escalation in SAP Edge Integration Cell (note 3413475) requires an immediate upgrade as no temporary workaround exists.
January 2024 SAP Security Notes Summary
The table below summarizes the key vulnerabilities, affected components, and required mitigation actions from the January 2024 security notes.
| SAP Note | Vulnerability Type | Affected Component(s) | Mitigation |
|---|---|---|---|
| 3412456 | Privilege Escalation | SAP Business Application Studio, SAP Web IDE | Upgrade @sap/xssec and @sap/approuter libraries. |
| 3413475 | Privilege Escalation | SAP Edge Integration Cell | Upgrade to version 8.9.13; no workaround available. |
| 3389917 | Denial of Service | SAP NetWeaver AS ABAP (ICM), SAP Web Dispatcher | Disable HTTP/2 protocol support or apply patch. |
| 341186 | Code Injection | SAP Application Interface Framework (File Adapter) | Apply patch to fix the vulnerable function module. |
| 3407617 | Missing Authorization | SAP LT Replication Server on S/4HANA | Apply manual steps to restrict user permissions. |
What were the critical “Hot News” vulnerabilities in January 2024?
January 2024 included two “Hot News” notes for critical privilege escalation vulnerabilities.
The first, note 3412456, addresses CVE-2023-49583, which impacts applications developed using SAP Business Application Studio, SAP Web IDE Full-Stack, and SAP Web IDE for SAP HANA. Node.js applications are vulnerable if they use @sap/xssec library versions before 3.6.0 or @sap/approuter versions before 14.4.2. The solution is to upgrade these application dependencies to the latest versions.
The second, note 3413475, deals with a privilege escalation vulnerability in the SAP Edge Integration Cell, which is part of the SAP Integration Suite. To mitigate this flaw, the Edge Integration Cell must be upgraded to version 8.9.13. It is critical to apply this update promptly, as no workaround is available.
What was the high-priority Denial of Service (DoS) vulnerability?
Note 3389917 details a high-priority Denial of Service (DoS) vulnerability affecting the Internet Communication Manager (ICM) of SAP NetWeaver Application Server ABAP and the SAP Web Dispatcher. Attackers could trigger this vulnerability by sending a high volume of HTTP/2 requests, potentially causing a system outage. As a temporary mitigation, the HTTP/2 protocol can be disabled by setting the parameter icm/HTTP/support_http2 to FALSE. The SAP NetWeaver Application Server Java is not affected as it does not support HTTP/2.
What other notable vulnerabilities were patched?
In addition to the critical notes, SAP released patches for code injection and authorization flaws.
- Note 341186 corrects a code injection vulnerability within the File Adapter of the SAP Application Interface Framework. This flaw allowed privileged users to execute operating system commands through a vulnerable function module.
- Note 3407617 provides manual correction steps for a missing authorization check in the SAP LT Replication Server on SAP S/4HANA versions 1809 to 2023. The fix involves restricting the permissions assigned to the user for background jobs.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability in January 2024?
The most critical vulnerabilities were the two “Hot News” privilege escalation flaws. Note 3412456 (CVE-2023-49583) affected SAP development platforms, while note 3413475 impacted SAP Edge Integration Cell, both with a CVSS score of 9.1.
Is SAP NetWeaver Application Server Java affected by the HTTP/2 DoS vulnerability?
No, the SAP NetWeaver Application Server Java is not impacted by the Denial of Service vulnerability described in note 3389917 because it does not support the HTTP/2 protocol.
Are there workarounds for all the January 2024 vulnerabilities?
No. The privilege escalation vulnerability in SAP Edge Integration Cell (note 3413475) has no available workaround, and a direct upgrade to version 8.9.13 is required. However, the DoS vulnerability in the ICM (note 3389917) has a workaround to disable HTTP/2.