From 534ade8342549a38300516edee8f5b4487419a34 Mon Sep 17 00:00:00 2001
From: DininduSWick <116336975+DininduSWick@users.noreply.github.com>
Date: Tue, 16 Apr 2024 14:29:44 +0800
Subject: [PATCH] SAP Security Advisory April 2024 - 20240416002 (#638)

* SAP Security Advisory April 2024 - 20240416002

* Format markdown docs

---------

Co-authored-by: DininduSWick <DininduSWick@users.noreply.github.com>
---
 ...416002-SAP-Security-Advisory-April-2024.md | 25 +++++++++++++++++++
 1 file changed, 25 insertions(+)
 create mode 100644 docs/advisories/20240416002-SAP-Security-Advisory-April-2024.md

diff --git a/docs/advisories/20240416002-SAP-Security-Advisory-April-2024.md b/docs/advisories/20240416002-SAP-Security-Advisory-April-2024.md
new file mode 100644
index 00000000..208cb477
--- /dev/null
+++ b/docs/advisories/20240416002-SAP-Security-Advisory-April-2024.md
@@ -0,0 +1,25 @@
+# SAP Security Advisory April 2024 - 20240416002
+
+## Overview
+
+The WA SOC has become aware of a security misconfiguration vulnerability in SAP NetWeaver AS Java User Management Engine. Self-Registration and Modify your own profile in User Admin Application of NetWeaver AS Java does not enforce proper security requirements for the content of the newly defined security answer. This can be leveraged by an attacker to cause profound impact on confidentiality and low impact on both integrity and availability
+
+## What is vulnerable?
+
+| CVE                                                                | Severity | CVSS | Product(s) Affected                                                                                                           | Dated      |
+| ------------------------------------------------------------------ | -------- | ---- | ----------------------------------------------------------------------------------------------------------------------------- | ---------- |
+| [CVE-2024-27899,](https://nvd.nist.gov/vuln/detail/CVE-2024-27899) | **High** | 8.8  | SAP NetWeaver AS Java User Management Engine Versions: ***<br>- SERVERCORE 7.50, <br>- J2EE-APPS 7.50, <br>- UMEADMIN 7.50*** | 04/09/2024 |
+
+## Recommendation
+
+The WA SOC recommends administrators apply the solutions as per vendor instructions to all affected devices within expected timeframe of *one month...* (refer [Patch Management](../guidelines/patch-management.md)):
+
+- [Patch Notes](https://me.sap.com/notes/3434839)
+
+## Additional References
+
+- [SAP's April 2024 Updates Patch High-Severity Vulnerabilities - SecurityWeek](https://www.securityweek.com/saps-april-2024-updates-patch-high-severity-vulnerabilities/)
+
+- [CVE-2024-27899 | Tenable®](https://www.tenable.com/cve/CVE-2024-27899)
+
+- [SAP Security Patch Day -- April 2024](https://support.sap.com/en/my-support/knowledge-base/security-notes-news/april-2024.html)