SAP Security Patch Day – August 2024 (2024)

This post shares information on Security Notes that remediatesvulnerabilities discovered in SAP products. SAP strongly recommends that the customer applies patches on priority to protect their SAP landscape.

On 13th of August 2024, SAP Security Patch Day saw the release of 17 new Security Notes. Further, there were 8 updates to previously released Security Notes.

Note#	Title	Priority	CVSS
3479478	[CVE-2024-41730] Missing Authentication check in SAP BusinessObjects Business Intelligence Platform Product - SAP BusinessObjects Business Intelligence Platform, Version – ENTERPRISE 430, 440	Hot News	9.8
3477196	[CVE-2024-29415] Server-Side Request Forgery vulnerability in applications built with SAP Build Apps Product - SAP Build Apps, Versions < 4.11.130	Hot News	9.1
3485284	[CVE-2024-42374] XML injection in SAP BEx Web Java Runtime Export Web Service Product- SAP BEx Web Java Runtime Export Web Service, Versions - BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, BIWEBAPP 7.5	High	8.2
3423268	[CVE-2023-30533] Prototype Pollution in SAP S/4 HANA (Manage Supply Protection) Product- SAP S/4 HANA, Library Versions - SheetJS CE < 0.19.3	High	7.8
3460407	Update to Security Note released on June 2024 Patch Day: [CVE-2024-34688] Denial of service (DOS) in SAP NetWeaver AS Java (Meta Model Repository) Product- SAP NetWeaver AS Java, Version – MMR_SERVER 7.5	High	7.5
3459935	[CVE-2024-33003] Information Disclosure Vulnerability in SAP Commerce Cloud Product- SAP Commerce Cloud, Versions – HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, COM_CLOUD 2211	High	7.4
3466801	Update to Security Note released on July 2024 Patch Day: [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management Product- SAP Landscape Management, Version - VCM 3.00	Medium	6.9
3495876	[Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS) CVEs - CVE-2023-0215, CVE-2022-0778 , CVE-2023-0286 Product- SAP Replication Server, Versions – 16.0.3, 16.0.4	Medium	6.5
3459379	Update to Security Note released on June 2024 Patch Day: [CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service) Product - SAP Document Builder, Versions – S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748	Medium	6.5
3474590	[CVE-2024-42376] Multiple Missing Authorization Check vulnerabilities in SAP Shared Service FrameworkAdditional CVE - CVE-2024-42377 Product- SAP Shared Service Framework, Versions – SAP_BS_FND 702, 731, 746, 747, 748	Medium	6.5
3438085	[CVE-2024-33005] Missing Authorization check in SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server Product- SAP NetWeaver Application Server (ABAP and Java), SAP Web Dispatcher and SAP Content Server, Versions – KRNL64NUC 7.22, 7.22EXT, KRNL64UC 7.22, 7.22EXT, 7.53, WEBDISP 7.53, 7.77, 7.85, 7.22_EXT, 7.89, 7.54, 7.93, KERNEL 7.22, 7.53, 7.77, 7.85, 7.89, 7.54, 7.93	Medium	6.3
3482217	Update to Security Note released on July 2024 Patch Day: [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse - Business Planning and Simulation Product- SAP Business Warehouse - Business Planning and Simulation, Versions – SAP_BW 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, SAP_BW_VIRTUAL_COMP 701	Medium	6.1
3465455	Update to Security Note released on June 2024 Patch Day: [CVE-2024-37176] Missing Authorization check in SAP BW/4HANA Transformation and DTP Product- SAP BW/4HANA Transformation and Data Transfer Process, Versions – DW4CORE 200, 300, 400, 796, SAP_BW 740, 750, 751, 752, 753, 754, 755, 756, 757, 758	Medium	5.5
3483256	[CVE-2024-41735] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Backoffice Product – SAP Commerce Backoffice, Version – HY_COM 2205	Medium	5.4
3471450	[CVE-2024-41733] Information Disclosure Vulnerability in SAP Commerce Product – SAP Commerce, Versions – HY_COM 2205, COM_CLOUD 2211	Medium	5.3
3487537	[CVE-2024-41737] Server-Side Request Forgery (SSRF) in SAP CRM ABAP (Insights Management) Product – SAP CRM ABAP (Insights Management), Versions – BBPCRM 700, 701, 702, 712, 713, 714	Medium	5.0
3458789	Update to Security Note released on July 2024 Patch Day: [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)  Product- SAP Business Workflow (WebFlow Services), Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758	Medium	5.0
3468102	[CVE-2024-41732] Improper Access Control in SAP Netweaver Application Server ABAP Product – SAP NetWeaver Application Server ABAP, Versions – SAP_UI 754, 755, 756, 757, 758, SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 912	Medium	4.7
3150704	Update to Security Note released on January 2023 Patch Day: [CVE-2023-0023] Information Disclosure in SAP Bank Account Management (Manage Banks) Product – SAP Bank Account Management (Manage Banks), Versions – 800, 900	Medium	4.5
3433545	[CVE-2024-42375] Multiple Unrestricted File Upload vulnerabilities in SAP BusinessObjects Business Intelligence Platform Additional CVE - CVE-2024-28166, CVE-2024-41731 Product – SAP BusinessObjects Business Intelligence Platform, Versions – ENTERPRISE 420, 430, 440	Medium	4.3
3475427	[CVE-2024-41736] Information Disclosure vulnerability in SAP Permit to Work Product – SAP Permit to Work, Versions – UIS4HOP1 800, 900	Medium	4.3
3477423	[CVE-2024-39591] Missing Authorization check in SAP Document Builder Product – SAP Document Builder, Versions – S4FND 102, S4FND 103, S4FND 104, S4FND 105, S4FND 106, S4FND 107, S4FND 108, SAP_BS_FND 702, SAP_BS_FND 731, SAP_BS_FND 746, SAP_BS_FND 747, SAP_BS_FND 748	Medium	4.3
3479293	[CVE-2024-42373] Missing Authorization Check in SAP Student Life Cycle Management (SLcM) Product – SAP Student Life Cycle Management (SLcM), Versions – IS-PS-CA 617, 618, 802, 803, 804, 805, 806, 807, 808	Medium	4.3
3494349	[CVE-2024-41734] Missing Authorization check in SAP NetWeaver Application Server ABAP and ABAP Platform Product – SAP NetWeaver Application Server ABAP and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 912	Medium	4.3
3454858	Update to Security Note released on July 2024 Patch Day: [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Product- SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions – SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758	Medium	4.1

To know more about the security researchers and research companies who have contributed for security patches of this month, visithere.

SAP is committed to delivering trustworthy products and cloud services. Secure configuration is essential to ensuring secure operation and data integrity. We have therefore documented security recommendations that are consolidated in this document to help you configure the best security for your SAP portfolio.

Archived blogs from previous years are available here.

If you have any comments or feedback about this post, you can write to secure@sap.com.

SAP Security Patch Day – August 2024 (2024)

FAQs

How do I check my SAP security patches? ›

SAP Security Patch Day

Access SAP Security Notes in SAP for Me, then select All Security Notes, to get the complete list of all SAP Security Notes. We recommend that you implement these corrections at a priority.

Discover More Details ›

What is SAP patch? ›

Patches include software updates the SAP security team releases to fix bugs, vulnerabilities, and threats. By installing released patches as soon as possible, you avoid malicious actors exploiting those vulnerabilities and threats.

Keep Reading ›

What is SAP hot news? ›

HotNews are top priority SAP Notes highlighting severe issues which require immediate action on customer side. This information is helpful with decisions regarding upgrade or GOLIVE.

What are security notes in SAP? ›

One of the flanks to protect is the Security Notes, which SAP releases every month, which we suggest doing through a permanent application to minimize vulnerabilities, as we saw in the article Security in SAP: What are the flanks to protect.

Get More Info Here ›

How do I check my security patch? ›

Discovering the patch level of your device depends on what Android version you're running. The easiest way is to open settings and search for “security.” Click on “Security updates” or similar. Then check the number next to the security level to see if you have the latest Android security update.

What is SAP patch day? ›

When is SAP Security Patch Day? Generally, this day happens only once a month and is always on the second Tuesday of the respective month. When will the patches be released? The SAP Response Team releases the latest fixes and security updates at 9:00 CET on SAP Patch Day.

Read On ›

How do I check SAP patches? ›

Checking the SAP Patch Level

Start your SAPGUI logon window which is normally accessible through Start > Programs > SAP Front End > SAPLogon > About SAP Logon. The SAP Version Information dialog box appears.
Check that your Patch Level is at least 66.

Show Me More ›

What are the three types of patching? ›

There are many different kinds of patches created for solving various system issues or just for improving general functionality and software efficiency. The three most common types of patches are security patches, bug fixes, and feature updates.

Discover More Details ›

How do I download SAP patches? ›

How to download Patches?

Support Portal.
Software download.
Sap Software download center.
Support packages and Patches (or Archive for Support packages and Patches)
Search for Support Packages and Patches (or Search for Support Packages and Patches in the Archive)

Get More Info Here ›

Is SAP coming to an end? ›

SAP ECC support is coming to an end. Support for customers on EHP5 and earlier is set to expire on December 31, 2025, with support for EHP6 and later customers concluding in 2027.

Discover More Details ›

Is SAP outdated now? ›

Yes SAP is outdated. It counts so many things as separate modules; they are essentially one single thing. If you say that General Ledger, AP, AR, inventory are separate modules then you are talking about an outdated technology. All these are one single module and need no manual integration (for a modern system).

Read On ›

What is SAP called now? ›

Today the company's legal corporate name is SAP SE — SE stands for societas Europaea, a public company registered in accordance with the European Union corporate law.

Learn More ›

What are the different types of patches in SAP? ›

Generally, service packs include kernel patches and SAP Notes (also known as Support Packages) for a specific SAP product. Installing service packs is a convenient way to ensure that your SAP system is up to date, as they include all the necessary updates in a single package.

Get More Info ›

What are SAP security controls? ›

SAP Governance, Risk, and Compliance (SAP GRC) is a suite of solutions focused on managing multiple aspects of a business. Security components include process and access control for authorizations, audit management tools, and business integrity screening to detect fraud and screen potential business partners.

Learn More ›

Which module is SAP security? ›

SAP security encompasses three core areas of cyber security: access control, data security and application security. To be secure, an SAP landscape is subject to strict access controls, and the system data should be protected as well as possible.

Tell Me More ›

How do I access security settings in SAP? ›

Procedure

Choose Setup Settings.
Choose Expert Mode.
On the Engine tab, choose Edit.
Specify your general security settings. Field. Default Value. Possible Values. Description. Default User Name for Host Agents. sapadm. Valid SAP Host Agent user name. Default SAP Host Agent user name. ...
Save your entries.

Keep Reading ›

How do I check my SAP upgrade status? ›

Checking the Update Status

Start the update manager. Choose Tools Administration Monitoring Update , or enter transaction SM13.
Check that the update system is running (message Update is active). ...
In update management search for update records with the status Error (on a red background) and for incomplete updates.

Find Out More ›

How do I check for software patches? ›

Go to Settings > Update & Security > Windows Update and check for updates. Using the software vendor's website: You can check for software updates on the software vendor's website. Many vendors provide downloads and information about updates on their websites.

Read The Full Story ›