SAP Security Patch Day – July 2022
Chapters
Share Article
Tuesday 12th July 2022 is yet another SAP Security Patch Day. The SAP Response Team releases corrections and instructions to address vulnerabilities across the SAP SE product portfolio. This patching Tuesday SAP released 22 security updates. The complete list with direct links to the SAP Support Portal can be found below.
SAP Security Patches June 2022
A quick glance at the July list shows that no SAP vulnerabilities were fixed that are considered Hot News. In SAP parlance, “Hot News” is used for all fixes that have a CVSS between 9.1 and 10. That’s good news for now!
Nevertheless, we can’t avoid taking a closer look at the publications. By the way, all SAP customers should do this, even if it requires some time and expert knowledge month after month. In July, we see 4 advisories with severity level High, 17 with severity Medium and one classified as a Low severity – summing up to total of 19 corrections, which awaited our review.
Highlights
Today we can start with what we do not find. Namely, we miss our old acquaintance the security updates in the Google Chromium Engine of the SAP Business Client, which was always rated with CVSS 10. Especially customers using the products SAP NetWeaver Enterprise Portal and SAP BusinessObjects should pay attention to this SAP Security Patch Day, because most of the fixes are related to these SAP products.
SAP NetWeaver Enterprise Portal
SAP NetWeaver Portal also known as Enterprise Portal (EP) is one of the components of the NetWeaver architecture. The on-premise SAP portal solution offers a single point of access to SAP information sources inside your organization. The Enterprise Portal can be accessed from desktops and from mobile devices such as smartphones or tablets.
We count a total of 6 security corrections that deal with Cross-Site Scripting (XSS) vulnerabilities in SAP NetWeaver Enterprise Portal. Since this solution communicates not only internally, but also in unprotected networks, we strongly recommend you check the fixes that have been rated with CVSS 6.1. Not necessary to emphasize that the public accessible SAP NetWeaver Enterprise Portal must be prioritized. Threat actors can find such SAP instances using a simple Goolge-Search query “inurl:/irj/portal” as described on the Exploit-Database page.
SAP BusinessObjects
Business Objects was purchased by SAP in 2007. SAP BO is often used to create high level reports based on the interaction (Interactive reports) generated by using dashboards and score cards. Typically, the report data is sourced from SAP Business Warehouse (BW).
Again, we count 6 fixes that revolve around SAP BusinessObjects (BO). Among them also the one with the highest severity (8.3), SNote 3221288: Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console). For the most part, “information disclosure” vulnerabilities are corrected. But what does information disclosure mean?
Information disclosure, also known as information leakage, occurs when an application or website unintentionally discloses sensitive information to its users. Depending on the context, especially enterprise critical SAP applications can disclose all sorts of information to a potential attacker, including
- Data about users and business partners including financial information
- Sensitive commercial data and trade secrets
- but also technical details about the application or infrastructure.
Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.
Summary by Severity
The July release contains a total of 22 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
0 |
|
High
|
4 |
|
Medium
|
17 |
|
Low
|
1 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3220746 | [CVE-2022-35171] Improper Input Validation in SAP 3D Visual Enterprise Viewer Priority: Correction with low priority Released on: 12.07.2022 Components: CA-VE-VEV Category: Program error |
Low | 3,3 |
| 3216161 | [CVE-2022-32248] Missing Input Validation in Manage Checkbooks component of SAP S/4HANA Priority: Correction with medium priority Released on: 12.07.2022 Components: FI-FIO-AP Category: Program error |
Medium | 4,3 |
| 3213826 | [CVE-2022-31597] Missing Authorization check in SAP S/4HANA(business partner extension for
Spain/Slovakia) Priority: Correction with medium priority Released on: 12.07.2022 Components: FI-LOC-FI-ES Category: Correction of legal function |
Medium | 5,4 |
| 3212997 | [CVE-2022-32249] Information Disclosure vulnerability in SAP Business One Priority: Correction with high priority Released on: 12.07.2022 Components: SBO-CRO-SEC Category: Program error |
High | 7,6 |
| 3211760 | [CVE-2022-35227] Cross-Site Scripting (XSS) vulnerability in SAP NW EP WPC Priority: Correction with medium priority Released on: 12.07.2022 Components: EP-PIN-WPC Category: Program error |
Medium | 6,1 |
| 3211203 | [CVE-2022-35168] Denial of Service vulnerability in SAP Business One Priority: Correction with medium priority Released on: 12.07.2022 Components: SBO-CRO-SEC Category: Program error |
Medium | 4,3 |
| 3210779 | [CVE-2022-35224] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Portal Priority: Correction with medium priority Released on: 12.07.2022 Components: EP-PIN-GPA Category: Program error |
Medium | 6,1 |
| 3209557 | [CVE-2022-32247] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Priority: Correction with medium priority Released on: 12.07.2022 Components: EP-PIN-TOL Category: Program error |
Medium | 6,1 |
| 3208880 | [CVE-2022-35225] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Priority: Correction with medium priority Released on: 12.07.2022 Components: EP-PIN-PRT Category: Program error |
Medium | 6,1 |
| 3208819 | [CVE-2022-35170] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Priority: Correction with medium priority Released on: 12.07.2022 Components: EP-PIN-AI Category: Program error |
Medium | 6,1 |
| 3207902 | [CVE-2022-35172] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal Priority: Correction with medium priority Released on: 12.07.2022 Components: EP-PIN-URL Category: Program error |
Medium | 6,1 |
| 3157613 | [CVE-2022-28771] Missing Authentication check in SAP Business One (License service API) Priority: Correction with high priority Released on: 12.07.2022 Components: SBO-CRO-SEC Category: Program error |
High | 7,5 |
| 3196280 | [CVE-2022-31592] Missing Authorization check in EA-DFPS Priority: Correction with medium priority Released on: 12.07.2022 Components: IS-DFS-MM Category: Program error |
Medium | 4,3 |
| 3191012 | [CVE-2022-31593] Code Injection vulnerability in SAP Business One Priority: Correction with high priority Released on: 12.07.2022 Components: SBO-CRO-SEC Category: Program error |
High | 7,4 |
| 3169239 | [CVE-2022-29619] Information Disclosure to user Administrator in SAP BusinessObjects Business Intelligence
Platform 4.x Priority: Correction with medium priority Released on: 12.07.2022 Components: BI-BIP-ADM Category: Program error |
Medium | 6,5 |
| 3167430 | [CVE-2022-31591] Privilege Escalation vulnerability in SAP BusinessObjects (BW Publisher
Service) Priority: Correction with medium priority Released on: 12.07.2022 Components: BI-BIP-IK-PAR-SAP Category: Program error |
Medium | 5,6 |
| 3221288 | [CVE-2022-35228] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
(Central management console) Priority: Correction with high priority Released on: 12.07.2022 Components: BI-BIP-CMC Category: Program error |
High | 8,3 |
| 3213279 | [CVE-2022-31598] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects Priority: Correction with medium priority Released on: 12.07.2022 Components: BI-BIP-CMC Category: Program error |
Medium | 5,4 |
| 3203079 | [CVE-2022-32246] SQL Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Visual
Difference Application) Priority: Correction with medium priority Released on: 12.07.2022 Components: BI-BIP-VD Category: Program error |
Medium | 5,4 |
| 3194361 | [CVE-2022-35169] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
(LCM) Priority: Correction with medium priority Released on: 12.07.2022 Components: BI-BIP-SRV Category: Program error |
Medium | 6,0 |
| 3150454 | Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with medium priority Released on: 12.07.2022 Components: BC-MID-RFC Category: Program error |
Medium | 4,9 |
| 3150463 | Information Disclosure vulnerability in ABAP Platform Priority: Correction with medium priority Released on: 12.07.2022 Components: BC-MID-RFC Category: Program error |
Medium | 4,9 |