SAP’s June 2024 Patch Day addresses several key vulnerabilities, including a high-priority denial of service issue in NetWeaver AS Java and privilege escalation flaws in S/4HANA and BW/4HANA. Organizations should prioritize applying these patches to mitigate risks of system downtime, data exposure, and unauthorized access.
This summary covers the most significant security notes released on June 11, 2024. Key vulnerabilities include a denial of service (DoS) flaw in the NetWeaver AS Java Meta Model Repository, cross-site scripting (XSS) in Financial Consolidation, and access control issues in S/4HANA and BW/4HANA. Applying these updates is critical for maintaining the security and integrity of your SAP landscape.
Key Takeaways
- High-Priority DoS Vulnerability: Note 3460407 patches a critical denial of service vulnerability in NetWeaver AS Java with no available workaround.
- Privilege Escalation Risks: Notes 3466175 and 3465455 fix access control issues in S/4HANA and BW/4HANA that could lead to escalation of privileges.
- XSS Flaws in Financial Consolidation: Note 3457592 resolves both reflected and stored cross-site scripting vulnerabilities.
- Information Disclosure in AS Java: Note 3425571 fixes a vulnerability that could leak server information, and a workaround is available.
- Immediate Action Recommended: Due to the severity of these issues, especially the high-priority DoS flaw, applying patches should be a priority.
What are the most critical vulnerabilities from June 2024?
The June 2024 SAP Security Notes include several high-impact patches that address denial of service, privilege escalation, and cross-site scripting vulnerabilities.
High-Priority Denial of Service in NetWeaver AS Java (Note 3460407)
A high-priority vulnerability addressed by note 3460407 affects the Meta Model Repository of SAP NetWeaver Application Server Java (AS Java), version 7.50. This flaw allows an unauthenticated attacker to exhaust system resources, leading to a denial of service. SAP has assigned this a high priority, and there are no workarounds available, making the patch essential.
Cross-Site Scripting in SAP Financial Consolidation (Note 3457592)
Note 3457592 tackles both reflected and stored cross-site scripting (XSS) vulnerabilities in SAP Financial Consolidation, identified as CVE-2024-37177 and CVE-2024-37178. These flaws could allow an attacker to modify website content, impacting the application’s confidentiality and integrity. The patch prevents exploitation by encoding URL parameters.
Escalation of Privileges in SAP S/4HANA (Note 3466175)
An access control issue in SAP S/4HANA is patched by note 3466175. The vulnerability, found in the management of incoming payment files, could allow an authenticated attacker to escalate privileges. It impacts S4CORE versions 102 through 108.
Missing Authorization in SAP BW/4HANA (Note 3465455)
A similar privilege escalation vulnerability is fixed in SAP BW/4HANA by note 3465455. The patch restricts the execution of functions within SAP BW/4HANA Transformation and DTP. After the update, only functions explicitly defined in an allowlist can be run, preventing misuse.
Information Disclosure in NetWeaver AS Java (Note 3425571)
Note 3425571 corrects an information disclosure vulnerability in the Guided Procedures component of NetWeaver AS Java. This flaw could lead to the leakage of server information. For organizations unable to apply the patch immediately, the note provides a workaround to disable the affected application.
Vulnerability Details: June 2024
| SAP Note | CVE ID(s) | Summary | Affected Component(s) | CVSS Score |
|---|---|---|---|---|
| 3460407 | CVE-2024-34688 | Denial of service (DoS) in Meta Model Repository. | NetWeaver AS Java (MMR_SERVER 7.50) | 7.5 |
| 3457592 | CVE-2024-37177, CVE-2024-37178 | Reflected and Stored Cross-Site Scripting (XSS). | SAP Financial Consolidation (FINANCE 1010) | 8.1 |
| 3466175 | CVE-2024-34691 | Access control issue leading to privilege escalation. | SAP S/4HANA (S4CORE 102-108) | 6.5 |
| 3465455 | CVE-2024-37176 | Missing authorization check in Transformation and DTP. | SAP BW/4HANA | 5.5 |
| 3425571 | CVE-2024-28164 | Information disclosure vulnerability. | NetWeaver AS Java (Guided Procedures) | 5.3 |
Frequently Asked Questions (FAQ)
What was the highest priority SAP note for June 2024?
The highest priority note was 3457592, with a CVSS score of 8.1, addressing XSS vulnerabilities in SAP Financial Consolidation. This was closely followed by note 3460407, a high-priority denial of service flaw with a CVSS score of 7.5.
Are there any workarounds for the June 2024 vulnerabilities?
A workaround is available for the information disclosure vulnerability (Note 3425571), which involves disabling the ‘caf~eu~gp~model~eap’ application. However, there are no workarounds for the high-priority denial of service vulnerability in NetWeaver AS Java (Note 3460407).
How many new security notes were released in June 2024?
SAP released 10 new security notes on Patch Tuesday, June 11, 2024, along with updates to previously released notes.