SAP’s May 2024 security update addresses several critical and high-risk vulnerabilities, led by a “Hot news” note for a file upload flaw in SAP NetWeaver. Other significant patches include fixes for remote code execution in SAP CX Commerce and multiple cross-site scripting (XSS) vulnerabilities in BusinessObjects and NetWeaver ABAP.
The May 2024 SAP Security Notes include critical patches that require immediate attention. The most severe is a file upload vulnerability in SAP NetWeaver Application Server ABAP (Note 3448171) that now requires signatures for file uploads by default. Additionally, SAP CX Commerce was patched for remote code execution and CSS injection vulnerabilities (Note 3455438), while the SAP BusinessObjects platform received a fix for a high-risk stored XSS vulnerability (Note 3431794). Further notes addressed stored XSS in NetWeaver AS ABAP and an information disclosure flaw in SAP Process Integration. System administrators should prioritize reviewing and applying these patches to mitigate risks of code injection, session hijacking, and data exposure.
Key Takeaways for May 2024
- A critical file upload vulnerability in SAP NetWeaver AS ABAP was patched.
- SAP CX Commerce received fixes for remote code execution (RCE) and CSS injection.
- A high-risk stored Cross-Site Scripting (XSS) flaw was addressed in SAP BusinessObjects.
- Multiple stored XSS vulnerabilities in NetWeaver AS ABAP were fixed.
- An information disclosure vulnerability in SAP Process Integration (PI) was patched.
What are the most important SAP Security Notes from May 2024?
The security notes released in May 2024 address several significant vulnerabilities across the SAP landscape. The most critical issues involve potential remote code execution, session hijacking, and information disclosure. The following table summarizes the key patches.
| Note Number | Vulnerability | Affected Product(s) | Risk Level |
|---|---|---|---|
| 3448171 | File Upload Vulnerability | NetWeaver AS ABAP, ABAP Platform | Critical |
| 3455438 | CSS Injection (CVE-2019-17495), RCE (CVE-2022-36364) | SAP CX Commerce | High |
| 3431794 | Stored Cross-Site Scripting (XSS) | SAP BusinessObjects BI Platform | High |
| 3450286, 3448445 | Stored Cross-Site Scripting (XSS) | SAP NetWeaver AS ABAP | High |
| 2174651 | Information Disclosure | SAP Process Integration (PI) | High |
What is the critical file upload vulnerability in SAP NetWeaver?
SAP Note 3448171 is a “Hot news” item that patches a critical file upload vulnerability in SAP NetWeaver Application Server ABAP and the ABAP Platform. The correction changes the default system configuration to prevent file uploads that lack signatures in the Content Repository (FILESYSTEM and SOMU_DB). For systems where the patch cannot be immediately applied, the note provides a manual workaround using transaction OAC0 to secure the configuration.
What vulnerabilities were patched in SAP CX Commerce?
SAP Note 3455438 addresses two significant vulnerabilities in SAP CX Commerce. The first is a CSS injection flaw (CVE-2019-17495) in the Swagger UI, which could allow attackers to perform Relative Path Overwrite (RPO) attacks. The second is a Remote Code Execution (RCE) vulnerability (CVE-2022-36364) in Apache Calcite Avatica 1.18.0. The patch resolves these issues by removing the vulnerable Swagger UI extensions and updating the Avatica library to a secure version.
What was the high-risk vulnerability in SAP BusinessObjects?
SAP Note 3431794 fixes a high-risk stored Cross-Site Scripting (XSS) vulnerability in the SAP BusinessObjects Business Intelligence (BOBJ) Platform. The flaw allowed an attacker to manipulate a parameter in the Opendocument URL to inject malicious scripts. The correction addresses this by properly sanitizing user input.
Were there other significant vulnerabilities?
- Stored XSS in NetWeaver AS ABAP: Notes 3450286 and 3448445 fix stored XSS vulnerabilities resulting from insufficient encoding of URL parameters, which could lead to code injection and session hijacking.
- Information Disclosure in SAP PI: Note 2174651 patches a vulnerability in the Integration Directory of SAP Process Integration (PI) that could allow attackers to discover sensitive data, including usernames and passwords.
Frequently Asked Questions (FAQ)
What was the most critical SAP vulnerability patched in May 2024?
The most critical vulnerability was a file upload issue in SAP NetWeaver AS ABAP and ABAP Platform, addressed by Hot News note 3448171. This patch changes the default configuration to require signatures for file uploads to prevent malicious file execution.
Were there any patches for SAP CX Commerce in May 2024?
Yes, note 3455438 was released for SAP CX Commerce. It fixed a CSS injection vulnerability (CVE-2019-17495) and a remote code execution vulnerability (CVE-2022-36364) by removing vulnerable Swagger UI extensions and updating the Apache Calcite Avatica library.
What does SAP Note 3431794 address?
SAP Note 3431794 addresses a high-risk stored cross-site scripting (XSS) vulnerability in the SAP BusinessObjects Business Intelligence (BOBJ) Platform. The patch sanitizes user input in the Opendocument URL to prevent attackers from injecting malicious scripts.