CVE-2024-42374: SAP BEx Web Java Runtime Info Disclosure

CVE-2024-42374 Overview

CVE-2024-42374 affects the SAP Business Explorer (BEx) Web Java Runtime Export Web Service. The service does not sufficiently validate XML documents accepted from untrusted sources, exposing the application to XML-based attacks classified under [CWE-91] (XML Injection). Attackers with network access and no authentication can exploit this weakness to retrieve information from the SAP Adobe Document Services (ADS) system and exhaust the available XMLForm service instances. Successful exploitation makes SAP ADS PDF rendering unavailable and discloses limited confidential data.

Critical Impact
Unauthenticated network attackers can disclose information from SAP ADS and render the PDF generation service unavailable, affecting confidentiality and availability.

Affected Products

SAP BEx Web Java Runtime Export Web Service BI-BASE-B 7.5
SAP BEx Web Java Runtime Export Web Service BI-BASE-E 7.5 and BI-BASE-S 7.5
SAP BEx Web Java Runtime Export Web Service BI-IBC 7.5 and BIWEBAPP 7.5

Discovery Timeline

2024-08-13 - CVE-2024-42374 published to NVD
2026-06-17 - Last updated in NVD database

Technical Details for CVE-2024-42374

Vulnerability Analysis

The BEx Web Java Runtime Export Web Service accepts XML payloads from remote clients and processes them without enforcing sufficient validation controls. This class of weakness, tracked as [CWE-91] XML Injection, allows an attacker to inject or manipulate XML structures that the parser then interprets in unintended ways. Within the SAP BI 7.5 stack, the export web service relays processing requests to SAP Adobe Document Services (ADS) for PDF rendering. By submitting crafted XML, an attacker can coerce the backend into returning information from the ADS system. Repeated exploitation also depletes the XMLForm service pool, blocking legitimate PDF generation requests.

Root Cause

The root cause is improper neutralization of XML content supplied by untrusted clients. The web service does not constrain element structure, entity references, or resource consumption before passing documents to downstream XML processors. This permits both information disclosure from the ADS subsystem and resource exhaustion against the XMLForm service.

Attack Vector

The vulnerability is reachable over the network without authentication or user interaction. An attacker sends a crafted XML document to the exposed BEx Web Java Runtime Export Web Service endpoint. The malicious payload manipulates the parser to either return sensitive content from the SAP ADS environment or to consume XMLForm service slots until the rendering capacity is exhausted. No verified public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog.

No verified exploit code is available. Refer to SAP Note #3485284 for vendor technical details.

Detection Methods for CVE-2024-42374

Indicators of Compromise

Unexpected HTTP POST requests containing XML payloads targeting BEx Web Java Runtime Export Web Service endpoints on SAP BI 7.5 servers.
Sudden depletion or queueing of XMLForm service workers within SAP ADS leading to failed PDF rendering operations.
ADS log entries showing repeated render failures correlated with anomalous inbound XML traffic.

Detection Strategies

Inspect web application firewall and reverse proxy logs for malformed or oversized XML documents posted to BEx export service URIs.
Correlate SAP ADS rendering errors with concurrent spikes in inbound traffic to BEx Java endpoints.
Enable SAP Solution Manager monitoring to track XMLForm service availability and worker pool utilization over time.

Monitoring Recommendations

Forward SAP NetWeaver Java, BEx, and ADS logs to a centralized analytics platform for correlation against network telemetry.
Establish baselines for XMLForm service request volume and alert on deviations consistent with resource exhaustion.
Monitor authentication-free access patterns to internet-exposed BEx interfaces and restrict them where possible.

How to Mitigate CVE-2024-42374

Immediate Actions Required

Apply the security fix referenced in SAP Note #3485284 to all affected SAP BI 7.5 components.
Review the SAP Security Patch Day Announcement and align patching with the next maintenance window.
Restrict network exposure of the BEx Web Java Runtime Export Web Service to trusted segments and authenticated proxies.

Patch Information

SAP addressed CVE-2024-42374 in its Security Patch Day release. Administrators must implement the corrections delivered in SAP Note #3485284 across components BI-BASE-B, BI-BASE-E, BI-BASE-S, BI-IBC, and BIWEBAPP at version 7.5. Verify post-installation that ADS rendering and XMLForm services return to baseline behavior.

Workarounds

Place the BEx export web service behind an authenticated reverse proxy and block unauthenticated XML POST requests at the network edge.
Configure XML parser hardening on the SAP NetWeaver Java stack to limit document size, entity expansion, and external references.
Rate-limit calls to the XMLForm service to reduce the impact of resource exhaustion attempts until patches are applied.

bash

# Configuration example
# Restrict access to BEx Web Java Runtime Export Web Service at the reverse proxy
# Replace <bex-host> with your SAP NetWeaver Java hostname
location /BExWebApp/ {
    allow 10.0.0.0/8;        # internal management network
    deny  all;               # block all other sources
    client_max_body_size 1m; # cap XML payload size
    proxy_pass https://<bex-host>;
}