limkedin Skip to main content
Blog

SAP Patch Tuesday overview for October 2022 

By 12 October 2022No Comments

A review, best practices and tips and tricks for this month’s SAP Security patches – Fixing SAP vulnerabilities. 

SAP Security Patch Tuesday October

It’s that day of the month again, SAP Security Patch Tuesday! The 2nd Tuesday of the month is when SAP releases its patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally or by external researchers such as Protect4S’ own researchers. 

As always, customers should assess the list of released SAP Security notes and apply them where applicable and conform to their SAP Vulnerability Management process and procedures. This month’s patches do have some high CVSS scores and some specifics as well.  Some notes of attention are:  

  • Customers using the SAP Manufacturing Execution should address the Hotnews note with number 3242933 – [CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution. This note has a CVSS score of 9,9/10 and can lead to the reading of all files on the remote server. 
  • A HotNews note has been released for customers using SAP Commerce with number 3239152 – [CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form. This vulnerability has a CVSS score of 9,6/10 and can lead to credentials being stolen. When addressing this vulnerability also have a look at SAP Security note 3202523 which has a lower risk but addresses the same SAP product and can be patched at the same time. 
  • A large portion (in total 7) of this month’s SAP Security notes address vulnerabilities in SAP BusinessObjects. Look at these notes when operating SAP BusinessObjects systems as some have the potential to leak OS credentials, like SAP Security note 3229132.  
  • There are 2 vulnerabilities in the encryption for the Gigya mobile app (android). See SAP Security notes 3248384 and 3248970 
  • There are 2 notes dealing with several vulnerabilities in the context of the SAP 3D Visual Enterprise frontend component. This component can be exploited by opening specially crafted 3D files. See notes 3245929 and 3245928 for more information.  
  • Also see note 3232021 – [CVE-2022-35299] Buffer Overflow in SAP SQL Anywhere and SAP IQ. This note has a  CVSS score of 8,1/10, but exploitation is hard and no publicly known exploits are available yet.  

A total of 22 notes have been released this month: 16 new ones and 6 updates to older notes. A breakdown by priority can be found below: 

image - SAP Patch Tuesday overview for October 2022 

For organisations using SAP software, it is important to have a process and procedures in place that makes sure every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and applying them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this month’s SAP Security notes can be found below: 

SAP Security note # Description CVSS v3 Score Priority 
3242933 [CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution 9,9 HotNews 
3239152 [CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form 9,6 HotNews 
3213507 [CVE-2022-31596] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB) 8,2 high  
3229132 [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects) 8,2 high 
3232021 [CVE-2022-35299] Buffer Overflow in SAP SQL Anywhere and SAP IQ 8,1 high  
3239293 [CVE-2022-39015] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform(AdminTools/ Query Builder) 7,7 high  
3245929 [Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Author high  
3245928 [Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Viewer high  
3233226 [CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Int. Platform (Version Management System) 6,8 medium  
3049899 [CVE-2022-35297] Stored Cross-Site Scripting (XSS) vuln in SAP Enable Now 6,5 medium  
2726124 Missing Authorization Check in multiple components under SAP Automotive Solutions 6,3 medium  
2634023 Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN 6,3 medium  
3211161 [CVE-2022-39800] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI LaunchPad) 6,1 medium 
3202523 Cross-Site Scripting (XSS) vulnerability in SAP Commerce 6,1 medium  
3213524 [CVE-2022-32244] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Commentary DB) medium  
3229425 [CVE-2022-41206] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform / Analysis for OLAP 5,4 medium  
2460948 Missing Authorization Check in Vehicle Management System 5,3 medium  
3248970 [CVE-2022-41209] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya) 4,9 medium 
3248384 [CVE-2022-41210] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya) 4,9 medium  
3150454 Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform 4,9 medium  
3167342 [CVE-2022-35226] Cross-Site Scripting (XSS) vulnerability in Data Services Management Console 4,8 medium  
3234755 Information Disclosure vulnerability in Master Data Governance 4,3 medium  

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!