Skip to content
SAP security Patch day

SAP Security Patch Day – December 2022

08f4ab4c66997156c778169c9fc04205?s=96&d=mm&r=g
Christoph Nagy
Managing director
December 13, 2022
4 min read
Chapters

Share Article

SAP Security Patches December 2022

Today SAP released 14 new SAP security updates, as well as 4 updates from previous releases. The patch day in December stands out because again 4 SAP patches have been released with the priority Hot News. In addition, there are another 5 patches with the priority High. So unfortunately everything else than a contemplative pre-Christmas period for those responsible for SAP patching. Many will probably have looked forward to a quiet pre-Christmas period. Now memories of the past Christmas of 2021 come up, where Log4j2 kept the teams on their toes. However, it’s not quite that bad in comparison to last year, the patches are available and just need to be applied.

Note 3239475 listed as CVE-2022-41267 resolves a vulnerability in the SAP Business Object Platform. No workarounds are known so far. The correction is done by installing a support package.

At 3273480 comes another note with priority Hot News that fixes a vulnerability in SAP Process Integration. The associated CVE is CVE-2022-41272. Due to insufficient authentication, an attacker with network access may be able to exploit a user-defined search (UDS). It is also noted that there is no workaround, however SAP points out that specific prerequisites must be met in order for the attack to be successful.

An Apache component allows remote code execution in SAP Commerce. This vulnerability is fixed in note 3271523. Again, this correction has been given a priority rating of 9.8, i.e., Hot News. SAP Commerce uses a version of the open source java library Apache Commons Text that contains a flaw with CVE-2022-42889. In this case SAP points to a workaround.

The last of our four hot news releases today is advisory 3267780, which also resolves a vulnerability in SAP process Integration. An unauthenticated attacker can connect to an open interface to perform unauthorized operations. The vulnerability is listed as CVE-2022-41271. The vulnerability is fixed via a support package, which is filed in the Security Note. For more information, see also the Knowledge Base article number 3271729.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The December release contains a total of 17 patches for the following severities:

Severity Number
Hot News
4
High
4
Medium
9
Note Description Severity CVSS
3265173 [CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: SV-SMG-DIA-SRV-AGT
Category: Program error
Medium 6,0
3258950 Update 1 to Security Note 2872782 - [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP (BSP Test Application)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-BSP
Category: Program error
Medium 6,1
3267780 [CVE-2022-41271] Improper access control in SAP NetWeaver Process Integration (Messaging System)
Priority: HotNews
Released on: 13.12.2022
Components: BC-XI-CON-MSG
Category: Program error
Hot News 9,4
3271313 [CVE-2022-41275] Offener Redirect in SAP Solutions Manager (Enterprise Search)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-EIM-ESH
Category: Program error
Medium 6,1
3239475 [CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform
Priority: HotNews
Released on: 13.12.2022
Components: BI-BIP-SRV
Category: Program error
Hot News 9,9
3266846 [CVE-2022-41274] Missing Authorization Checks in SAP Disclosure Management
Priority: Correction with medium priority
Released on: 13.12.2022
Components: EPM-DSM-GEN
Category: Program error
Medium 6,5
3262544 [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-JAS-WEB
Category: Program error
Medium 6,1
3273480 [CVE-2022-41272] Improper access control in SAP NetWeaver Process Integration (User Defined Search)
Priority: HotNews
Released on: 13.12.2022
Components: BC-XI-CON-UDS
Category: Program error
Hot News 9,9
3248255 [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce
Priority: Correction with high priority
Released on: 13.12.2022
Components: CEC-COM-CPS
Category: Program error
High 8,0
3249648 [CVE-2022-41263] Missing authentication check vulnerability in SAP Business Objects Business Intelligence Platform (Web intelligence)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BI-RA-WBI
Category: Program error
Medium 4,3
3271523 Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce
Priority: HotNews
Released on: 13.12.2022
Components: CEC-COM-CPS-COR
Category: Program error
Hot News 9,8
3271091 [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation
Priority: Correction with high priority
Released on: 13.12.2022
Components: EPM-BPC-NW
Category: Program error
High 8,5
3268172 [CVE-2022-41264] Code Injection vulnerability in SAP BASIS
Priority: Correction with high priority
Released on: 13.12.2022
Components: BC-DB-HDB-POR
Category: Program error
High 8,8
3270399 [CVE-2022-41273] URL Redirection vulnerability in SAP Sourcing and SAP Contract Lifecycle Management
Priority: Correction with medium priority
Released on: 13.12.2022
Components: SRM-ESO-SEC
Category: Program error
Medium 4,3
2872782 [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP – Business Server Pages Test Application IT00
Priority: Correction with medium priority
Released on: 14.04.2020
Components: BC-BSP
Category: Program error
Medium 6,1
3234755 Information Disclosure vulnerability in Master Data Governance
Priority: Correction with medium priority
Released on: 11.10.2022
Components: CA-MDG-APP-CUS
Category: Program error
Medium 4,3
3229132 [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects)
Priority: Correction with high priority
Released on: 11.10.2022
Components: BI-BIP-ADM
Category: Program error
High 8,2