SAP Security Patch Day – November 2022
Chapters
Share Article
Today, November 8th, 2022, SAP releases security fixes for their product portfolio for the penultimate time this year as part of November SAP Security Patch Day. SAP released 10 patches and updated 2 security notes from the previous Patch Day.
The following article describes how to use the Expert Search if you encounter a different number in SAP’s Support Launchpad’s Security Notes application.
The Expert Search shows 14 Security Patches between the recent SAP Security Patch Day and the November release.
Have you ever wondered why SAP Security Patch installation can’t be as easy as you’re used to with Windows Update? Join our webinar on November 10th at 3 pm CET. Senior Cybersecurity Analyst at Lonza will talk about his experiences with SAP Cybersecurity and our CTO Ivan Mans will show how SecurityBridge Patch Management can ease your life and significantly increase your system security.
SAP Security Patches November 2022
In this section, you will find a summary of the highlights, i.e., the SAP Security Notes for which we recommend quick action. At the same time, you should check all Security Notes for updates, including those already implemented. Unfortunately, it also happens that SAP experts update a previous fix outside the regular SAP Patch Day.
A large number of SAP customers may be affected by note 3256571, which addresses several vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform. The corrected SAP vulnerabilities are implemented with CVSS 8.7.
SAP Business Objects Intelligence Platform has received a fix with Hot News (CVSS 9.9). We recommend that you check the note with the number 3243924 for relevance. An authenticated attacker can inject malicious content with relatively low privileges. This could highly compromise the system’s confidentiality, integrity, and availability. The experts at SAP also publish workaround instructions. If you can’t install the patch mentioned in the note in the short term, we recommend you check the workaround and use it temporarily if necessary.
Customers using SAPUI5 but not one of the following library versions: 1.71.51, 1.84.29, 1.96.14, 1.102.8, 1.105.2 should take a closer look at note 3249990 [CVE-2021-20223]. The CVE number 2021 suggests that the vulnerability mentioned has existed for some time. Therefore, affected customers must ask themselves whether the vulnerability was exploited unnoticed. A particularly high risk exists for scenarios where the SAP Fiori /SAPUI5 user interface is exposed in untrusted networks.
Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.
Summary by Severity
The November release contains a total of 10 patches for the following severities:
Severity | Number |
---|---|
Hot News
|
2 |
High
|
2 |
Medium
|
6 |
Note | Description | Severity | CVSS |
---|---|---|---|
3251202 | [CVE-2022-41215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform Priority: Correction with medium priority Released on: 08.11.2022 Components: BC-MID-ICF Category: Program error |
Medium | 4,7 |
3218159 | Insufficient Session Expiration in Central Fiori Launchpad Priority: Correction with medium priority Released on: 08.11.2022 Components: CA-FLP-FE-COR Category: Program error |
Medium | 6,1 |
3263436 | [CVE-2022-41211] Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual
Enterprise Viewer Priority: Correction with high priority Released on: 08.11.2022 Components: CA-VE-VEA Category: Program error |
High | 7,0 |
3243924 | [CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence
Platform (Central Management Console and BI Launchpad) Priority: HotNews Released on: 08.11.2022 Components: BI-RA-WBI-FE Category: Program error |
Hot News | 9,9 |
3249990 | [CVE-2021-20223] Multiple Vulnerabilities in SQlite bundled with SAPUI5 Priority: HotNews Released on: 08.11.2022 Components: CA-UI5-VTK-VIT Category: Program error |
Hot News | 9,8 |
3229987 | [CVE-2022-41259] Denial of service (DOS) in SAP SQL Anywhere Priority: Correction with medium priority Released on: 08.11.2022 Components: BC-SYB-SQA Category: Program error |
Medium | 6,5 |
3238042 | [CVE-2022-41207] URL Redirection vulnerability in SAP Biller Direct Priority: Correction with medium priority Released on: 08.11.2022 Components: FIN-FSCM-BD Category: Program error |
Medium | 6,1 |
3237251 | [CVE-2022-41205] Code injection vulnerability in SAP GUI for Windows Priority: Correction with medium priority Released on: 08.11.2022 Components: BC-FES-GUI Category: Program error |
Medium | 5,5 |
3256571 | [CVE-2022-41214] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP
Platform Priority: Correction with high priority Released on: 08.11.2022 Components: BC-CTS-TMS Category: Program error |
High | 8,7 |
3260708 | [CVE-2022-41258] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Financial
Consolidation Priority: Correction with medium priority Released on: 08.11.2022 Components: EPM-BFC-TCL-ADM-SEC Category: Program error |
Medium | 6,5 |