SAP Security Patch Day – October 2022
Chapters
Share Article
October 11th is not only the monthly SAP Security Patch Day. It is also the 1st day of the annual DSAG conference, this year taking place in Leipzig. The German-speaking SAP user community will meet in Leipzig from 11-13 October, and the topic of the SAP Security Dashboard is coming back. A holistic overview of current and actual vulnerabilities manifested in security events, including a reliable overview of relevant and pending SAP Security Patches, has been desired by SAP customers for many years. So, the desired dashboard would show 15 new SAP security notes for the October SAP Security Patch Day. Ideally, only those Notes applicable to the customer landscape would show as pending implementation. This would make patching considerably easier for customers, as manual checking for all systems is time-consuming and often prone to errors.
SecurityBridge customers already have access to a patch management dashboard, which is desired and demanded by many companies running SAP. Looking at the corrections released in October’s Patch Day, the dashboard is useful to quickly triage and coordinate patching based on the SAP products you have installed.
SAP Security Patches October 2022
From September 14th to October 11th, 22 SAP security patches were released or updated. Seventeen notes (15 new and two updates) were officially assigned to the October Patch Day by the SAP Response Team.
With a CVSS of 9.9, note 3242933 classifies as a “Hot News” priority. SAP corrects a file path traversal vulnerability in SAP Manufacturing Execution. However, there is one more “Hot News” note (CVSS 9.6), a patch dealing with a clickjacking vulnerability in the SAP Commerce login form ( SNote 3239152 ). Customers using the affected SAP products should take immediate action because, according to our experts, the existing vulnerabilities pose a direct exploitation risk.
We should be concerned about five other corrections for vulnerabilities with a high-priority classification. Users of the SAP 3D Visual Enterprise and SAP BusinessObjects products are affected. For a complete list of released SAP security patches, please see our overview below:
Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.
Summary by Severity
The October release contains a total of 17 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
2 |
|
High
|
5 |
|
Medium
|
10 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3239293 | [CVE-2022-39015] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence
Platform(AdminTools/ Query Builder) Priority: Correction with high priority Released on: 11.10.2022 Components: BI-BIP-ADM Category: Program error |
High | 7,7 |
| 3229425 | [CVE-2022-41206] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence
platform / Analysis for OLAP Priority: Correction with medium priority Released on: 11.10.2022 Components: BI-RA-AWB Category: Program error |
Medium | 5,4 |
| 3229132 | [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
(Program Objects) Priority: Correction with high priority Released on: 11.10.2022 Components: BI-BIP-ADM Category: Program error |
High | 8,2 |
| 3211161 | [CVE-2022-39800] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence
Platform (BI LaunchPad) Priority: Correction with medium priority Released on: 11.10.2022 Components: BI-BIP-INV Category: Program error |
Medium | 6,1 |
| 3248970 | [CVE-2022-41209] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya) Priority: Correction with medium priority Released on: 11.10.2022 Components: CEC-PRO-GIY Category: Program error |
Medium | 4,9 |
| 3248384 | [CVE-2022-41210] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya) Priority: Correction with medium priority Released on: 11.10.2022 Components: CEC-PRO-GIY Category: Program error |
Medium | 4,9 |
| 3245929 | [Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Author Priority: Correction with high priority Released on: 11.10.2022 Components: CA-VE-VEA Category: Program error |
High | 7,0 |
| 3245928 | [Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Viewer Priority: Correction with high priority Released on: 11.10.2022 Components: CA-VE-VEV Category: Program error |
High | 7,0 |
| 3242933 | [CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution Priority: HotNews Released on: 11.10.2022 Components: MFG-ME Category: Program error |
Hot News | 9,9 |
| 3202523 | Cross-Site Scripting (XSS) vulnerability in SAP Commerce Priority: Correction with medium priority Released on: 11.10.2022 Components: CEC-COM-CPS Category: Program error |
Medium | 6,1 |
| 3049899 | [CVE-2022-35297] Stored Cross-Site Scripting (XSS) vulnerability in SAP Enable Now Priority: Correction with medium priority Released on: 11.10.2022 Components: KM-SEN-MGR Category: Upgrade information |
Medium | 6,5 |
| 3167342 | [CVE-2022-35226] Cross-Site Scripting (XSS) vulnerability in Data Services Management Console Priority: Correction with medium priority Released on: 11.10.2022 Components: EIM-DS-SVR Category: Program error |
Medium | 4,8 |
| 3239152 | [CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login
form Priority: HotNews Released on: 11.10.2022 Components: CEC-COM-CPS Category: Program error |
Hot News | 9,6 |
| 3234755 | Information Disclosure vulnerability in Master Data Governance Priority: Correction with medium priority Released on: 11.10.2022 Components: CA-MDG-APP-CUS Category: Program error |
Medium | 4,3 |
| 3233226 | [CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
(Version Management System) Priority: Correction with medium priority Released on: 11.10.2022 Components: BI-BIP-LCM Category: Program error |
Medium | 6,8 |
| 3232021 | [CVE-2022-35299] Buffer Overflow in SAP SQL Anywhere and SAP IQ Priority: Correction with high priority Released on: 11.10.2022 Components: BC-SYB-SQA Category: Program error |
High | 8,1 |
| 3150454 | Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with medium priority Released on: 12.07.2022 Components: BC-MID-RFC Category: Program error |
Medium | 4,9 |