A review, best practices and tips and tricks for this months’ SAP Security patches – Fixing SAP vulnerabilities.
It’s that day of the month again, the last SAP Security Patch Tuesday of 2022! The 2nd Tuesday in the month when SAP releases their patches to fix vulnerabilities in SAP products. Either being discovered by SAP internally, or by external researchers such as Protect4S’ own researchers. All trying to improve SAP’s product security and have SAP customers run their SAP systems more secure.
As always, customers should assess the list of released SAP Security notes and apply them where applicable and conform their SAP Vulnerability Management process and procedures. This month’s patches do have some high CVSS scores. Notes of attention are:
- Customers using SAP Process Integration should address the 2 HotNews notes with numbers 3267780 and 3273480. These notes have CVSS scores of 9,4 and 9,9 and could allow the attacker to have full read access for user data, make limited modifications to user data and degrade performance of the system, leading to high impact on confidentiality and limited impact on availability and integrity of the application.
- Customers using SAP Business Objects should address the HotNews note with number 3239475 – [CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform. This note has a CVSS score of 9,9/10 and could highly compromise the Confidentiality, Integrity, and Availability of the system.
- A HotNews note has been released for the SAAS Solution SAP Commerce with number 3271523 – Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce. This vulnerability has a CVSS score of 9,8/10 and is a vulnerability in the open-source Java library Apache Commons Text which is incorporated in SAP Commerce. For more details see CVE-2022-42889.
At the moment of writing there are no public exploits available to our knowledge for the above-mentioned notes. A total of 20 new notes have been released this month: 14 new ones and 6 updates to older notes or additions to last month’s Patch Tuesday. A breakdown by priority can be found below:
For organisations using SAP software it is important to have a process and procedures in place that ensures that every month the SAP Security notes are reviewed, assessed for relevance and risk and that patches are applied. The Protect4S Vulnerability Management solution supports this process by automatically scanning your SAP landscape for missing SAP Security notes and apply them in an automated way for ABAP systems (for the patches with automatic correction instructions). A full overview of this months’ SAP Security notes can be found below (These are new and updated notes released after last months’ patch Tuesday):
|SAP Security note #||Description||CVSS v3 Score||Priority|
|2622660||Security updates for the browser control Google Chromium delivered with SAP Business Client||10||HotNews|
|3273480||[CVE-2022-41272] Improper access control in SAP NetWeaver Process Integration (User Defined Search)||9,9||HotNews|
|3239475||[CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform||9,9||HotNews|
|3271523||Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce||9,8||HotNews|
|3267780||[CVE-2022-41271] Improper access control in SAP NetWeaver Process Integration (Messaging System)||9,4||HotNews|
|3268172||[CVE-2022-41264] Code Injection vulnerability in SAP BASIS||8,8||High|
|3271091||[CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation||8,5||High|
|3229132||[CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects)||8,2||High|
|3248255||[CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce||8||High|
|3249990||Multiple Vulnerabilities in SQlite bundled with SAPUI5||7,5||High|
|3266846||[CVE-2022-41274] Missing Authorization Checks in SAP Disclosure Management||6,5||Medium|
|2872782||[CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP ‚Äì Business Server Pages Test Application IT00||6,1||Medium|
|3271313||[CVE-2022-41275] Offener Redirect in SAP Solutions Manager (Enterprise Search)||6,1||Medium|
|3258950||Update 1 to Security Note 2872782 – [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP (BSP Test Application)||6,1||Medium|
|3262544||[CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service)||6,1||Medium|
|3265173||[CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent)||6||Medium|
|3251202||[CVE-2022-41215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform||4,7||Medium|
|3249648||[CVE-2022-41263] Missing authentication check vulnerability in SAP Business Objects Business Intelligence Platform (Web intelligence)||4,3||Medium|
|3270399||[CVE-2022-41273] URL Redirection vulnerability in SAP Sourcing and SAP Contract Lifecycle Management||4,3||Medium|
|3234755||Information Disclosure vulnerability in Master Data Governance||4,3||Medium|