A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.
It’s that day of the month again, SAP Security Patch Tuesday! The 2nd Tuesday in the month when SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.
As always, customers should assess the list of released SAP Security notes and apply them where applicable and conform their SAP Vulnerability Management process and procedures. This month’s patches do have some high CVSS scores. Notes of attention are:
- Customers using SAP Business Objects should address the HotNews note with number 3243924 – [CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad). This note has a CVSS score of 9,9/10 and could highly compromise the Confidentiality, Integrity, and Availability of the system.
- A HotNews note has been released for SAPUI5 with number 3249990 – [CVE-2021-20223] Multiple Vulnerabilities in SQlite bundled with SAPUI5. This vulnerability has a CVSS score of 9,8/10 and is in use with many SAP customers so make sure to check your SAP landscape for this vulnerability.
A total of 15 new notes have been released this month: 10 new ones and 5 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below:
For organisations using SAP software it is important to have a process and procedures in place that makes sure every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below:
|SAP Security note #||Description||CVSS v3 Score||Priority|
|2622660||Security updates for the browser control Google Chromium delivered with SAP Business Client||10.0||HotNews|
|3243924||CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)||9.9||HotNews|
|3249990||Multiple Vulnerabilities in SQlite bundled with SAPUI5Related CVEs-CVE-2021-20223, CVE-2022-35737||9.8||HotNews|
|3239152||[CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form||9.6||HotNews|
|3256571||[CVE-2022-41214]Multiple vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform. Additional CVE-CVE-2022-41212||8.7||High|
|3226411||[CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS)||8.1||High|
|3263436||[CVE-2022-41211] Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise ViewerProduct-SAP 3D Visual Enterprise Author,Version –9.0||7.0||High|
|3229987||[CVE-2022-41259]Denial of service (DOS) in SAP SQL Anywhere||6.5||Medium|
|3260708||[CVE-2022-41258] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation||6.5||Medium|
|2495712||Missing authorization check in SAP Automotive Solutions||6.5||Medium|
|3202523||Cross-Site Scripting (XSS) vulnerability in SAP Commerce||6.1||Medium|
|3238042||[CVE-2022-41207]URL Redirection vulnerability in SAP Biller Direct||6.1||Medium|
|3218159||Insufficient Session Expiration in Central Fiori Launchpad||6.1||Medium|
|3237251||[CVE-2022-41205]Code injection vulnerability in SAP GUI for Windows||5.5||Medium|
|3251202||[CVE-2022-41215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform||4.7||Medium|