A review, best practices and tips and tricks for this month’s SAP Security patches – Fixing SAP vulnerabilities.
It’s that day of the month again, SAP Security Patch Tuesday! The 2nd Tuesday of the month is when SAP releases its patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally or by external researchers such as Protect4S’ own researchers.
As always, customers should assess the list of released SAP Security notes and apply them where applicable and conform to their SAP Vulnerability Management process and procedures. This month’s patches do have some high CVSS scores and some specifics as well. Some notes of attention are:
- Customers using the SAP Manufacturing Execution should address the Hotnews note with number 3242933 – [CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution. This note has a CVSS score of 9,9/10 and can lead to the reading of all files on the remote server.
- A HotNews note has been released for customers using SAP Commerce with number 3239152 – [CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form. This vulnerability has a CVSS score of 9,6/10 and can lead to credentials being stolen. When addressing this vulnerability also have a look at SAP Security note 3202523 which has a lower risk but addresses the same SAP product and can be patched at the same time.
- A large portion (in total 7) of this month’s SAP Security notes address vulnerabilities in SAP BusinessObjects. Look at these notes when operating SAP BusinessObjects systems as some have the potential to leak OS credentials, like SAP Security note 3229132.
- There are 2 vulnerabilities in the encryption for the Gigya mobile app (android). See SAP Security notes 3248384 and 3248970
- There are 2 notes dealing with several vulnerabilities in the context of the SAP 3D Visual Enterprise frontend component. This component can be exploited by opening specially crafted 3D files. See notes 3245929 and 3245928 for more information.
- Also see note 3232021 – [CVE-2022-35299] Buffer Overflow in SAP SQL Anywhere and SAP IQ. This note has a CVSS score of 8,1/10, but exploitation is hard and no publicly known exploits are available yet.
A total of 22 notes have been released this month: 16 new ones and 6 updates to older notes. A breakdown by priority can be found below:
For organisations using SAP software, it is important to have a process and procedures in place that makes sure every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and applying them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this month’s SAP Security notes can be found below:
| SAP Security note # | Description | CVSS v3 Score | Priority |
| 3242933 | [CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution | 9,9 | HotNews |
| 3239152 | [CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form | 9,6 | HotNews |
| 3213507 | [CVE-2022-31596] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) | 8,2 | high |
| 3229132 | [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects) | 8,2 | high |
| 3232021 | [CVE-2022-35299] Buffer Overflow in SAP SQL Anywhere and SAP IQ | 8,1 | high |
| 3239293 | [CVE-2022-39015] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform(AdminTools/ Query Builder) | 7,7 | high |
| 3245929 | [Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Author | 7 | high |
| 3245928 | [Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Viewer | 7 | high |
| 3233226 | [CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Int. Platform (Version Management System) | 6,8 | medium |
| 3049899 | [CVE-2022-35297] Stored Cross-Site Scripting (XSS) vuln in SAP Enable Now | 6,5 | medium |
| 2726124 | Missing Authorization Check in multiple components under SAP Automotive Solutions | 6,3 | medium |
| 2634023 | Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN | 6,3 | medium |
| 3211161 | [CVE-2022-39800] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI LaunchPad) | 6,1 | medium |
| 3202523 | Cross-Site Scripting (XSS) vulnerability in SAP Commerce | 6,1 | medium |
| 3213524 | [CVE-2022-32244] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Commentary DB) | 6 | medium |
| 3229425 | [CVE-2022-41206] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform / Analysis for OLAP | 5,4 | medium |
| 2460948 | Missing Authorization Check in Vehicle Management System | 5,3 | medium |
| 3248970 | [CVE-2022-41209] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya) | 4,9 | medium |
| 3248384 | [CVE-2022-41210] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya) | 4,9 | medium |
| 3150454 | Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform | 4,9 | medium |
| 3167342 | [CVE-2022-35226] Cross-Site Scripting (XSS) vulnerability in Data Services Management Console | 4,8 | medium |
| 3234755 | Information Disclosure vulnerability in Master Data Governance | 4,3 | medium |
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!
