{"id":1681,"date":"2024-07-09T23:00:58","date_gmt":"2024-07-09T20:00:58","guid":{"rendered":"https:\/\/techltx.com\/de\/?p=1681"},"modified":"2024-08-12T23:15:50","modified_gmt":"2024-08-12T20:15:50","slug":"sap-security-patchday-juli-2024-authorization-check","status":"publish","type":"post","link":"https:\/\/techltx.com\/de\/sap\/sap-security-patchday-juli-2024-authorization-check\/2024\/07\/","title":{"rendered":"SAP Security Patchday Juli 2024 | Ein entscheidender Schritt f\u00fcr den Schutz kritischer Unternehmensdaten"},"content":{"rendered":"\n<div class=\"wp-block-columns is-layout-flex wp-container-core-columns-is-layout-28f84493 wp-block-columns-is-layout-flex\">\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:66.66%\">\n<p>Liebe Leserinnen und Leser,<\/p>\n<p>Obwohl die Sommerferien in den meisten L\u00e4ndern gerade ihren H\u00f6hepunkt erreichen, stehen bei Europas gr\u00f6\u00dftem Softwareunternehmen, gemessen an der Marktkapitalisierung, die R\u00e4der nicht still. SAP hat k\u00fcrzlich neue Sicherheitsl\u00f6sungen ver\u00f6ffentlicht, um kritische Sicherheitsl\u00fccken zu schlie\u00dfen. Diese Entwicklung unterstreicht die Notwendigkeit eines konsequenten und integrierten IT-Sicherheitsmanagements. SAP-Produkte sind oft in sensiblen Gesch\u00e4ftsbereichen wie Rechnungswesen, Controlling, Materialwirtschaft und Personalwesen im Einsatz, was ihre Rolle als gesch\u00e4ftskritische Software weiter betont. Vor diesem Hintergrund ist es f\u00fcr SAP-Sicherheitsberater und Basisadministratoren nun umso wichtiger, Strategien zur Integration der neuesten Patches und Workarounds zu entwickeln. Am 9. Juli 2024 f\u00fchrte der SAP Security Patch Day zur Ver\u00f6ffentlichung von 16 neuen Sicherheitshinweisen sowie zur Aktualisierung von zwei weiteren.<\/p>\n<\/div>\n\n\n\n<div class=\"wp-block-column is-layout-flow wp-block-column-is-layout-flow\" style=\"flex-basis:33.33%\">\n<figure class=\"wp-block-image size-full\"><a href=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png\"><img loading=\"lazy\" decoding=\"async\" width=\"491\" height=\"155\" src=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png\" alt=\"SAP Security Note Patch Day 2024-04  April\" class=\"wp-image-248\" srcset=\"https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday.png 491w, https:\/\/techltx.com\/wp-content\/uploads\/2023\/06\/sap-security-patchday-300x95.png 300w\" sizes=\"auto, (max-width: 491px) 100vw, 491px\" \/><\/a><\/figure>\n<\/div>\n<\/div>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>SAP Note <\/strong>3483344 <strong>Missing Authorization check in PDCE<\/strong><\/h2>\n\n\n\n<p>Ein besonderes Augenmerk liegt auf der Sicherheitsnote 3483344, die eine fehlende Autorisierungspr\u00fcfung im SAP PDCE-Modul adressiert. Diese Schwachstelle erm\u00f6glicht es einem Angreifer, privilegierte Informationen zu lesen, was die Vertraulichkeit der Anwendung stark gef\u00e4hrdet. SAP hat reagiert, indem betroffene Funktionen deaktiviert wurden, um unautorisierten Zugriff zu verhindern, und empfiehlt dringend die Implementierung des entsprechenden Supportpakets.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>SAP Note <\/strong>3490515 <strong>Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce<\/strong><\/h2>\n\n\n\n<p>Ein weiteres kritisches Sicherheitsproblem wurde unter der Nummer 3490515 dokumentiert, welches unangemessene Autorisierungspr\u00fcfungen bei fr\u00fchem Login auf B2B-Websites des SAP Commerce Composable Storefront betrifft. Hier konnte die Funktion &#8222;Passwort vergessen&#8220; missbraucht werden, um Zugang zu erhalten, ohne dass eine H\u00e4ndlergenehmigung vorlag. Dies betrifft vor allem nicht isolierte Sites, was das Risiko potenziell auf mehrere Fr\u00fch-Login-Sites ausweitet. Als Reaktion darauf wurden Patches bereitgestellt, die verhindern, dass Passwort-Reset-E-Mails an nicht genehmigte Benutzer gesendet werden.<\/p>\n\n\n\n<h2 class=\"wp-block-heading\"><strong>SAP Note <\/strong>3466801 <strong>Information Disclosure vulnerability in SAP Landscape Management<\/strong><\/h2>\n\n\n\n<p>Ein drittes Update, die Sicherheitsnote 3466801, behandelt eine Informationsenth\u00fcllungsschwachstelle in SAP Landscape Management. Diese erm\u00f6glichte es authentifizierten Nutzern, \u00fcber die REST Provider Definition Antwort vertrauliche Daten einzusehen. Die neueste Version dieser Notiz enth\u00e4lt aktualisierte Supportpakete und Patches, die bessere Protokollierungen von REST-Anbieterdefinitionen und eine manuelle Korrekturanweisung bieten.<\/p>\n\n\n\n<p>Diese Updates zeigen, wie SAP aktiv daran arbeitet, Sicherheitsl\u00fccken zu identifizieren und schnell zu schlie\u00dfen. Die regelm\u00e4\u00dfige Anwendung von Sicherheitspatches ist entscheidend f\u00fcr den Schutz der SAP-Landschaft und sollte oberste Priorit\u00e4t f\u00fcr alle SAP-Nutzer haben. Es wird empfohlen, diese Korrekturen umgehend zu implementieren, um die Integrit\u00e4t und Vertraulichkeit der Unternehmensdaten zu gew\u00e4hrleisten.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p>Hier finden Sie die SAP Notes (sortiert nach dem CVSS-Rank)<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>SAP Note 3483344 | HIGH 7.7 | [CVE-2024-39592] Missing Authorization check in PDCE<\/li>\n\n\n\n<li>Product &#8211; SAP PDCE, Version \u2013 S4CORE 102, 103, S4COREOP 104, 105, 106, 107, 108<\/li>\n\n\n\n<li>SAP Note 3490515 |HIGH 7.2 | [CVE-2024-39597] Improper Authorization Checks on Early Login Composable Storefront B2B sites of SAP Commerce<\/li>\n\n\n\n<li>Product &#8211; SAP Commerce, Version \u2013 HY_COM 2205, COM_CLOUD 2211<\/li>\n\n\n\n<li>SAP Note 3466801 | Medium 6.9| [CVE-2024-39593] Information Disclosure vulnerability in SAP Landscape Management Product- SAP Landscape Management, Version &#8211; VCM 3.00<\/li>\n\n\n\n<li>SAP Note 3459379 | Medium 6.5 | Update to Security Note released on June 2024 Patch Day:<\/li>\n\n\n\n<li>[CVE-2024-34683] Unrestricted file upload in SAP Document Builder (HTTP service)<\/li>\n\n\n\n<li>Product- SAP Document Builder, Versions &#8211; S4CORE 100, 101, S4FND 102, 103, 104, 105, 106, 107, 108, SAP_BS_FND 702, 731, 746, 747, 748<\/li>\n\n\n\n<li>SAP Note 3468681 | Medium 6.1 | [CVE-2024-34685] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Knowledge Management XMLEditor<\/li>\n\n\n\n<li>Product- SAP NetWeaver Knowledge Management XMLEditor, Version \u2013 KMC-WPC 7.50<\/li>\n\n\n\n<li>SAP Note 3467377 | Medium 6.1 |[Multiple CVEs] Multiple vulnerabilities in SAP CRM (WebClient UI) CVEs &#8211; CVE-2024-37173, CVE-2024-37174, CVE-2024-39598,CVE-2024-37175 Product- SAP CRM WebClient UI, Versions \u2013 S4FND 102, 103, 104, 105, 106, 107, 108, WEBCUIF 701, 731, 746, 747, 748, 800, 801<\/li>\n\n\n\n<li>SAP Note 3482217 | Medium 6.1 | [CVE-2024-39594] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Business Warehouse &#8211; Business Planning and Simulation Additional CVE &#8211; CVE-2024-39595 Product- SAP Business Warehouse &#8211; Business Planning and Simulation, Versions &#8211; SAP_BW 700, 701, 702, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 757, 758, SAP_BW_VIRTUAL_COMP 701<\/li>\n\n\n\n<li>SAP Note 3457354 | Medium 5.4 | [CVE-2024-37172] Missing Authorization check in SAP S\/4HANA Finance (Advanced Payment Management)<\/li>\n\n\n\n<li>Product\u202f- SAP S\/4HANA Finance (Advanced Payment Management), Versions \u2013 S4CORE 107, 108<\/li>\n\n\n\n<li>SAP Note 3458789 | Medium 5.0 | [CVE-2024-34689] Server-Side Request Forgery in SAP Business Workflow (WebFlow Services)<\/li>\n\n\n\n<li>Product- SAP Business Workflow (WebFlow Services), Versions \u2013 SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758<\/li>\n\n\n\n<li>SAP Note 3483993 | Medium 5.0 | [CVE-2024-34689] Prerequisite for Security Note 3458789<\/li>\n\n\n\n<li>Product- SAP Business Workflow (WebFlow Services), Versions \u2013 SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758<\/li>\n\n\n\n<li>SAP Note 3485805 | Medium 5.0 | [CVE-2024-34689] Allowlisting of callback-URLs in SAP Business Workflow (WebFlow Services)<\/li>\n\n\n\n<li>Product- SAP Business Workflow (WebFlow Services), Versions \u2013 SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758<\/li>\n\n\n\n<li>SAP Note 3461110 | Medium 5.0 | [CVE-2024-39600] Information Disclosure vulnerability in SAP GUI for Windows Product\u2013 SAP GUI for Windows, Version \u2013 BC-FES-GUI 8<\/li>\n\n\n\n<li>SAP Note 3469958 | Medium 5.0 | [CVE-2024-37171] Server-Side Request Forgery (SSRF) in SAP Transportation Management (Collaboration Portal)<\/li>\n\n\n\n<li>Product\u202f\u2013 SAP Transportation Management (Collaboration Portal), Versions \u2013 SAPTMUI 140, 150, 160, 170<\/li>\n\n\n\n<li>SAP Note 3456952 | Medium 4.7 | [CVE-2024-39599] Protection Mechanism Failure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Product\u202f\u2013 SAP NetWeaver Application Server for ABAP and ABAP Platform, Version \u2013 SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758, SAP_BASIS 795, SAP_BASIS 796<\/li>\n\n\n\n<li>SAP Note 3476348 | Medium 4.3 | [CVE-2024-39596] Missing Authorization check vulnerability in SAP Enable Now Product\u202f\u2013 SAP Enable Now, Versions \u2013 WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704<\/li>\n\n\n\n<li>SAP Note 3454858 | Medium 4.1 | [CVE-2024-37180] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform<\/li>\n\n\n\n<li>Product\u202f\u2013 SAP NetWeaver Application Server for ABAP and ABAP Platform, Versions \u2013 SAP_BASIS 700, SAP_BASIS 701, SAP_BASIS 702, SAP_BASIS 731, SAP_BASIS 740, SAP_BASIS 750, SAP_BASIS 751, SAP_BASIS 752, SAP_BASIS 753, SAP_BASIS 754, SAP_BASIS 755, SAP_BASIS 756, SAP_BASIS 757, SAP_BASIS 758<\/li>\n\n\n\n<li>SAP Note 3101986 | Medium 4.1 | Update to Security Note released on April 2022 Patch Day: Enable CSP support for OP1909 in SAP CRM WebClient UI<\/li>\n\n\n\n<li>Product\u202f\u2013 SAP CRM WebClient UI, Versions \u2013 S4FND 104<\/li>\n\n\n\n<li>SAP Note 3476340 | Low 3.3 | [CVE-2024-34692] Unrestricted File upload vulnerability in SAP Enable Now Product\u202f\u2013 SAP Enable Now, Versions \u2013 WPB_MANAGER_CE 10, WPB_MANAGER_HANA 10, ENABLE_NOW_CONSUMP_DEL 1704<\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<p><strong>Bleiben Sie sicher und halten Sie Ihr System auf dem neuesten <a href=\"https:\/\/dam.sap.com\/mac\/app\/e\/pdf\/preview\/embed\/ucQrx6G?ltr=a&#038;rc=10\" target=\"_blank\" rel=\"noreferrer noopener\">Stand<\/a>!<\/strong><\/p>\n\n\n\n<p><strong>Es ist immer wichtig, stets wachsam zu bleiben und sicherzustellen, dass Ihr SAP-System auf dem neuesten Stand ist. Das fr\u00fchzeitige und konsequente Anwenden von Sicherheitspatches sch\u00fctzt nicht nur Ihre Daten, sondern auch die Konsistenz und Integrit\u00e4t Ihres gesamten Unternehmens.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"<p>SAP Security Notes Patch Day Juni 2024 Dieser Artikel ist eine Zusammenfassung \u00fcber die Inhalte und aktuellen Schwachstellen f\u00fcr SAP Systeme.  Am Juni-Patchday warnt SAP vor zehn neuen Sicherheitsl\u00fccken, darunter zwei hochriskante Schwachstellen. Ein kritisches Leck in SAP Financial Consolidation (CVE-2024-37177) gef\u00e4hrdet die Vertraulichkeit und Integrit\u00e4t der Anwendung, w\u00e4hrend eine Schwachstelle in SAP NetWeaver AS Java (CVE-2024-34688) Denial-of-Service-Angriffe erm\u00f6glicht. Weitere mittlere und niedrige Risiken wurden in verschiedenen SAP-Produkten identifiziert und behoben. IT-Verantwortliche sollten die bereitgestellten Updates zeitnah einspielen, um die Sicherheit ihrer Systeme zu gew\u00e4hrleisten.<\/p>\n","protected":false},"author":3,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","_uag_custom_page_level_css":"","site-sidebar-layout":"default","site-content-layout":"","ast-site-content-layout":"default","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","ast-disable-related-posts":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"set","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"var(--ast-global-color-4)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-opacity":"","overlay-gradient":""}},"footnotes":""},"categories":[5,11],"tags":[12,7],"class_list":["post-1681","post","type-post","status-publish","format-standard","hentry","category-sap","category-sap-security-patch-day","tag-patchday","tag-sap"],"uagb_featured_image_src":{"full":false,"thumbnail":false,"medium":false,"medium_large":false,"large":false,"1536x1536":false,"2048x2048":false},"uagb_author_info":{"display_name":"BALTX","author_link":"https:\/\/techltx.com\/de\/author\/baltx-com\/"},"uagb_comment_info":0,"uagb_excerpt":"SAP Security Notes Patch Day Juni 2024 Dieser Artikel ist eine Zusammenfassung \u00fcber die Inhalte und aktuellen Schwachstellen f\u00fcr SAP Systeme. Am Juni-Patchday warnt SAP vor zehn neuen Sicherheitsl\u00fccken, darunter zwei hochriskante Schwachstellen. Ein kritisches Leck in SAP Financial Consolidation (CVE-2024-37177) gef\u00e4hrdet die Vertraulichkeit und Integrit\u00e4t der Anwendung, w\u00e4hrend eine Schwachstelle in SAP NetWeaver AS&hellip;","_links":{"self":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts\/1681","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/comments?post=1681"}],"version-history":[{"count":1,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts\/1681\/revisions"}],"predecessor-version":[{"id":1683,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/posts\/1681\/revisions\/1683"}],"wp:attachment":[{"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/media?parent=1681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/categories?post=1681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techltx.com\/de\/wp-json\/wp\/v2\/tags?post=1681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}