A review, best practices and tips and tricks for this months’ SAP Security patches
Another month, another SAP Security Patch Tuesday! The 2nd Tuesday in the month when SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally or by external researchers such as Protect4S’ own researchers.
This month’s patches do not have as high CVSS scores as compared to previous months, yet every customer’s needs to assess their specific situation. Some points of attention are:
- The often returning note 2622660 that deals with fixes for the browser control from Google Chromium. This is relevant for customers that have deployed the SAP Business Client.
- A patch for an Unquoted Service Path issue in SAP Business One (The solution for SMB customers). This patch is not relevant in most cases for enterprise customers.
- Only one security Note with a CVSS score higher than 8,5 (apart from the Chromium fix) dealing with a Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse.
- A specific note that deals with vulnerabilities in one of SAP’s SAAS solutions. These notes are seen more often lately and are often there for informational purposes. Often customers do not need to take action there, only if the software is installed in an on-premise scenario.
- Our own SAP Security research contributed to improvements for the security of SAP Password hashes. No specific note was released but improvements to the program CLEANUP_PASSWORD_HASH_VALUES are made by SAP, will be delivered via an Support Package and acknowledgements by SAP were given to Protect4S for this month’s patch day.
A total of 16 notes have been released this month: 10 new ones and 6 updates to older notes. A breakdown by priority can be found below:
For organisations using SAP software it is important to have a process or procedure in place that makes sure every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below:
|SAP Security note #||Description||CVSS v3 Score||Priority|
|2622660||Security updates for the browser control Google Chromium delivered with SAP Business Client||10||HotNews|
|3102769||[CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse||8,8||High|
|3223392||[CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One||7,8||High|
|3219164||[CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC)||6,1||Medium|
|3217303||[CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC)||7,7||High|
|3159736||[CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix||6,7||Medium|
|3198137||Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform||4,7||Medium|
|3126968||Information Disclosure vulnerability in SAP CRM WebClient||4,3||Medium|
|2998510||[CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update||7,8||High|
|3237075||[CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management||7,1||High|
|3229820||[CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad)||6,1||Medium|
|3226411||[CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS)||8,1||High|
|2634023||Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN||6,3||Medium|
|3218177||[CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP||5,4||Medium|
|3165333||[CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform||4,7||Medium|
|3150454||Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform||4,9||Medium|