limkedin Skip to main content

SAP Patch Tuesday overview for November 2022

By 9 November 2022December 21st, 2022No Comments

A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.  

It’s that day of the month again, SAP Security Patch Tuesday! The 2nd Tuesday in the month when SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.  

As always, customers should assess the list of released SAP Security notes and apply them where applicable and conform their SAP Vulnerability Management process and procedures. This month’s patches do have some high CVSS scores. Notes of attention are:  

  • Customers using SAP Business Objects should address the HotNews note with number 3243924 – [CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad). This note has a CVSS score of 9,9/10 and could highly compromise the Confidentiality, Integrity, and Availability of the system. 
  • A HotNews note has been released for SAPUI5 with number 3249990 – [CVE-2021-20223] Multiple Vulnerabilities in SQlite bundled with SAPUI5. This vulnerability has a CVSS score of 9,8/10 and is in use with many SAP customers so make sure to check your SAP landscape for this vulnerability. 

A total of 15 new notes have been released this month: 10 new ones and 5 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below: 

image - SAP Patch Tuesday overview for November 2022

For organisations using SAP software it is important to have a process and procedures in place that makes sure every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below: 

SAP Security note # Description CVSS v3 Score Priority 
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10.0 HotNews 
3243924 CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)  9.9 HotNews 
3249990 Multiple Vulnerabilities in SQlite bundled with SAPUI5Related CVEs-CVE-2021-20223, CVE-2022-35737 9.8 HotNews 
3239152 [CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form 9.6 HotNews 
3256571 [CVE-2022-41214]Multiple vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform. Additional CVE-CVE-2022-41212 8.7 High 
3226411 [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) 8.1 High 
3263436 [CVE-2022-41211] Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise ViewerProduct-SAP 3D Visual Enterprise Author,Version –9.0 7.0 High 
3229987 [CVE-2022-41259]Denial of service (DOS) in SAP SQL Anywhere 6.5 Medium 
3260708 [CVE-2022-41258] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation 6.5 Medium 
2495712 Missing authorization check in SAP Automotive Solutions 6.5 Medium 
3202523 Cross-Site Scripting (XSS) vulnerability in SAP Commerce 6.1 Medium 
3238042 [CVE-2022-41207]URL Redirection vulnerability in SAP Biller Direct 6.1 Medium 
3218159 Insufficient Session Expiration in Central Fiori Launchpad 6.1 Medium 
3237251 [CVE-2022-41205]Code injection vulnerability in SAP GUI for Windows 5.5 Medium 
3251202 [CVE-2022-41215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform 4.7 Medium 

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!