Skip to main content
Blog

SAP Patch Tuesday overview for September 

By 14 September 2022No Comments

A review, best practices and tips and tricks for this months’ SAP Security patches 

Patch

Another month, another SAP Security Patch Tuesday! The 2nd Tuesday in the month when SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally or by external researchers such as Protect4S’ own researchers. 

This month’s patches do not have as high CVSS scores as compared to previous months, yet every customer’s needs to assess their specific situation.  Some points of attention are:  

  • The often returning note 2622660 that deals with fixes for the browser control from Google Chromium. This is relevant for customers that have deployed the SAP Business Client.  
  • A patch for an Unquoted Service Path issue in SAP Business One (The solution for SMB customers). This patch is not relevant in most cases for enterprise customers. 
  • Only one security Note with a CVSS score higher than 8,5 (apart from the Chromium fix) dealing with a Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse. 
  • A specific note that deals with vulnerabilities in one of SAP’s SAAS solutions. These notes are seen more often lately and are often there for informational purposes. Often customers do not need to take action there, only if the software is installed in an on-premise scenario.  
  • Our own SAP Security research contributed to improvements for the security of SAP Password hashes. No specific note was released but improvements to the program CLEANUP_PASSWORD_HASH_VALUES are made by SAP, will be delivered via an Support Package and acknowledgements by SAP were given to Protect4S for this month’s patch day. 
image - SAP Patch Tuesday overview for September 
image - SAP Patch Tuesday overview for September 

A total of 16 notes have been released this month: 10 new ones and 6 updates to older notes. A breakdown by priority can be found below: 

image - SAP Patch Tuesday overview for September 

For organisations using SAP software it is important to have a process or procedure in place that makes sure every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below: 

SAP Security note # Description CVSS v3 Score Priority 
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10 HotNews 
3102769 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse 8,8 High 
3223392 [CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One 7,8 High 
3219164 [CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC) 6,1 Medium 
3217303 [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) 7,7 High 
3159736 [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix 6,7 Medium 
3198137 Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform 4,7 Medium 
3126968 Information Disclosure vulnerability in SAP CRM WebClient 4,3 Medium 
2998510 [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update 7,8 High 
3237075 [CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management 7,1 High 
3229820 [CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad) 6,1 Medium 
3226411 [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) 8,1 High 
2634023 Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN 6,3 Medium 
3218177 [CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP 5,4 Medium 
3165333 [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform 4,7 Medium 
3150454 Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform 4,9 Medium 

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!