CVE-2024-34688 – This vulnerability in SAP NetWeaver AS Java all... (How to Fix)

Q: What is the severity of CVE-2024-34688?

CVE-2024-34688 has a CVSS score of 7.5 (HIGH). This vulnerability in SAP NetWeaver AS Java allows attackers to perform denial-of-service attacks by exploiting unrestricted access to Meta Model Repository services. This affects all SAP NetWeaver AS Java systems with vulnerable configurations, potentially disrupting legitimate user access to business applications.

📋 TL;DR

This vulnerability in SAP NetWeaver AS Java allows attackers to perform denial-of-service attacks by exploiting unrestricted access to Meta Model Repository services. This affects all SAP NetWeaver AS Java systems with vulnerable configurations, potentially disrupting legitimate user access to business applications.

💻 Affected Systems

Products:

SAP NetWeaver AS Java

Versions: Multiple versions - check SAP Note 3460407 for specific affected versions

Operating Systems: All supported OS for SAP NetWeaver

Default Config Vulnerable: ⚠️ Yes

Notes: Affects systems with Meta Model Repository services enabled and accessible

📦 What is this software?

Netweaver Application Server Java by Sap

View all CVEs affecting Netweaver Application Server Java →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete application unavailability for extended periods, disrupting critical business operations dependent on SAP systems.

🟠

Likely Case

Intermittent service degradation or temporary unavailability affecting user productivity and business processes.

🟢

If Mitigated

Minimal impact with proper network segmentation and access controls limiting attack surface.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Attack requires network access to vulnerable services but no authentication

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3460407

Vendor Advisory: https://me.sap.com/notes/3460407

Restart Required: Yes

Instructions:

1. Download SAP Note 3460407 from SAP Support Portal. 2. Apply the security patch following SAP's standard patching procedures. 3. Restart the SAP NetWeaver AS Java system.

🔧 Temporary Workarounds

Network Access Restriction

all

Restrict network access to Meta Model Repository services using firewall rules

Service Disablement

all

Disable Meta Model Repository services if not required for business operations

🧯 If You Can't Patch

Implement strict network segmentation to isolate SAP systems from untrusted networks
Deploy web application firewall with DoS protection rules

🔍 How to Verify

Check if Vulnerable:

Check if SAP Security Note 3460407 is applied via SAP transaction SNOTE

Check Version:

Check SAP system version via SAP GUI or transaction SM51

Verify Fix Applied:

Verify patch application in SAP system and test Meta Model Repository service accessibility

📡 Detection & Monitoring

Log Indicators:

Unusual high volume of requests to Meta Model Repository services
System performance degradation logs
Connection timeout errors

Network Indicators:

High volume of traffic to SAP Java ports (typically 5XX00 range)
Unusual request patterns to /sap/bc/ repositories

SIEM Query:

source="sap_java_logs" AND ("Meta Model" OR "repository") AND (request_count > threshold)

📊 Metadata

CVE ID: CVE-2024-34688

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-400

Published: June 11, 2024

Last Updated: November 21, 2024

🔗 References

https://me.sap.com/notes/3460407 Permissions Required
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html Patch,Vendor Advisory
https://me.sap.com/notes/3460407 Permissions Required
https://support.sap.com/en/my-support/knowledge-base/security-notes-news.html Patch,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2024-34688, you might also want to check these: