Skip to main content
Blog

SAP Patch Tuesday overview for December 2022

By 13 December 2022December 21st, 2022No Comments

A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.  

Patch

It’s that day of the month again, the last SAP Security Patch Tuesday of 2022! The 2nd Tuesday in the month when SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.  

As always, customers should assess the list of released SAP Security notes and apply them where applicable and conform their SAP Vulnerability Management process and procedures. This month’s patches do have some high CVSS scores. Notes of attention are:  

  • Customers using SAP Process Integration should address the 2 HotNews notes with numbers 3267780 and 3273480. These notes have CVSS scores of 9,4 and 9,9 and could allow the attacker to have full read access for user data, make limited modifications to user data and degrade performance of the system, leading to high impact on confidentiality and limited impact on availability and integrity of the application. 
  • Customers using SAP Business Objects should address the HotNews note with number 3239475[CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform. This note has a CVSS score of 9,9/10 and could highly compromise the Confidentiality, Integrity, and Availability of the system.  
  • A HotNews note has been released for the SAAS Solution SAP Commerce with number 3271523Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce. This vulnerability has a CVSS score of 9,8/10 and is a vulnerability in the open-source Java library Apache Commons Text which is incorporated in SAP Commerce. For more details see CVE-2022-42889.  

At the moment of writing there are no public exploits available to our knowledge for the above-mentioned notes. A total of 20 new notes have been released this month: 14 new ones and 6 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below: 

image - SAP Patch Tuesday overview for December 2022

For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday): 

SAP Security note # Description CVSS v3 Score Priority 
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client 10 HotNews 
3273480 [CVE-2022-41272] Improper access control in SAP NetWeaver Process Integration (User Defined Search) 9,9 HotNews 
3239475 [CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform 9,9 HotNews 
3271523 Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce 9,8 HotNews 
3267780 [CVE-2022-41271] Improper access control in SAP NetWeaver Process Integration (Messaging System) 9,4 HotNews 
3268172 [CVE-2022-41264] Code Injection vulnerability in SAP BASIS 8,8 High 
3271091 [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation 8,5 High 
3229132 [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects) 8,2 High 
3248255 [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce High 
3249990 Multiple Vulnerabilities in SQlite bundled with SAPUI5 7,5 High 
3266846 [CVE-2022-41274] Missing Authorization Checks in SAP Disclosure Management 6,5 Medium 
2872782 [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP ‚Äì Business Server Pages Test Application IT00 6,1 Medium 
3271313 [CVE-2022-41275] Offener Redirect in SAP Solutions Manager (Enterprise Search) 6,1 Medium 
3258950 Update 1 to Security Note 2872782 – [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP (BSP Test Application) 6,1 Medium 
3262544 [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service) 6,1 Medium 
3265173 [CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent) Medium 
3251202 [CVE-2022-41215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform 4,7 Medium 
3249648 [CVE-2022-41263] Missing authentication check vulnerability in SAP Business Objects Business Intelligence Platform (Web intelligence) 4,3 Medium 
3270399 [CVE-2022-41273] URL Redirection vulnerability in SAP Sourcing and SAP Contract Lifecycle Management 4,3 Medium 
3234755 Information Disclosure vulnerability in Master Data Governance 4,3 Medium 

For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn and our YouTube channel!