SAP Security Patch Day – May 2022
Chapters
Share Article
SAP customers need to pay attention to the release of the SAP security updates, which have been published on 10th May 2022. This months SAP Security Patch Day covers 13 (+2) patches that should be carefully reviewed.
SAP Security Patches - May 2022
We are committed to helping our customers become proactive. In terms of security updates, this means establishing an effective process for emergency fixes, but also knowing when such an update has been released. In addition, we recommend taking other measures that limit the impact of a missing fix.
Highlights
In the May Patch Day, an update of the central note for Spring4Shell and another patch for the Web Dispatcher/Internet Communication Manager jumps out at us.
What has happened in terms of Spring4Shell?
Note 3170990 summarizes all security notes related to CVE-2022-22965. A new advisory has been added, 3189409 – [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Business One Cloud.
We would also like to point out that the notes 3189635 (published on 14.04.2022) and 3171258 (published on 18.04.2022) were published after the April patch day. So if you only pay attention to the SAP Patch Day notes, you might have missed them!
This time, too, the focus is on the SAP Web Dispatcher or the Internet Communication Manager (ICM). These components are so popular with attackers because they control access to the integrated webserver. It is not uncommon these components can be accessed from the outside, which is why a timely update is highly recommended. Please note the following security patch with CVSS 8.3 of 10: 3145046 – [CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in the administration UI of SAP Web Dispatcher and SAP Netweaver AS for ABAP and Java (ICM)
Notes 3165801 (Missing Authorization check in SAP NetWeaver Application Server for ABAP) and 3145702 (Memory Corruption vulnerability in SAP Host Agent, SAP NetWeaver, and ABAP Platform) also close existing vulnerabilities in widely used SAP components and should therefore be noted.
Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.
Summary by Severity
The May release contains a total of 15 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
4 |
|
High
|
2 |
|
Medium
|
9 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3170990 | [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring
Framework Priority: HotNews Released on: 12.04.2022 Components: XX-SER-SN Category: Program error |
Hot News | 9,8 |
| 2998510 | [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence
Update Priority: Correction with high priority Released on: 10.05.2022 Components: BI-BIP-INS Category: Program error |
High | 7,8 |
| 2756188 | Cross-Site Request Forgery (CSRF) vulnerability in F0673 Approve Bank Payments front-end Priority: Correction with medium priority Released on: 10.05.2022 Components: FI-FIO-AP Category: Program error |
Medium | 6,3 |
| 2754555 | Cross-Site Request Forgery (CSRF) vulnerability in F0673 Approve Bank Payments back-end Priority: Correction with medium priority Released on: 10.05.2022 Components: FI-FIO-AP Category: Program error |
Medium | 6,3 |
| 3165801 | [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP
Platform Priority: Correction with medium priority Released on: 10.05.2022 Components: BC-ABA-LI Category: Program error |
Medium | 6,5 |
| 3164677 | [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave
Request) Priority: Correction with medium priority Released on: 10.05.2022 Components: PA-FIO-LEA Category: Program error |
Medium | 6,5 |
| 3158188 | [CVE-2022-28774] Information Disclosure vulnerability in SAP Host Agent logfile Priority: Correction with medium priority Released on: 10.05.2022 Components: BC-CCM-HAG Category: Program error |
Medium | 5,3 |
| 3189409 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in in SAP
Business One Cloud Priority: HotNews Released on: 10.05.2022 Components: SBO-CRO-SEC Category: Program error |
Hot News | 9,8 |
| 3146336 | [CVE-2022-29610] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server
ABAP Priority: Correction with medium priority Released on: 10.05.2022 Components: CA-UI2-THD Category: Program error |
Medium | 5,4 |
| 3145702 | [CVE-2022-29616] Memory Corruption vulnerability in SAP Host Agent, SAP NetWeaver and ABAP
Platform Priority: Correction with medium priority Released on: 10.05.2022 Components: BC-CST-MS Category: Program error |
Medium | 5,3 |
| 3145046 | [CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in administration UI of SAP Webdispatcher and SAP
Netweaver AS for ABAP and Java (ICM) Priority: Correction with high priority Released on: 10.05.2022 Components: BC-CST-WDP Category: Program error |
High | 8,3 |
| 3143161 | Missing Authorization check for UI5 flexibility key user functionality Priority: Correction with medium priority Released on: 10.05.2022 Components: CA-UI5-FL-LRP Category: Program error |
Medium | 4,3 |
| 3165333 | [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform Priority: Correction with medium priority Released on: 12.04.2022 Components: BC-MID-ICF Category: Program error |
Medium | 4,7 |
| 3171258 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP
Commerce Priority: HotNews Released on: 18.04.2022 Components: CEC-COM-CPS-WEB Category: Program error |
Hot News | 9,8 |
| 3189635 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer
Profitability Analytics Priority: HotNews Released on: 14.04.2022 Components: IS-T-MA Category: Program error |
Hot News | 9,8 |