SAP Security Patch Day – December 2022
Chapters
Share Article
SAP Security Patches December 2022
Today SAP released 14 new SAP security updates, as well as 4 updates from previous releases. The patch day in December stands out because again 4 SAP patches have been released with the priority Hot News. In addition, there are another 5 patches with the priority High. So unfortunately everything else than a contemplative pre-Christmas period for those responsible for SAP patching. Many will probably have looked forward to a quiet pre-Christmas period. Now memories of the past Christmas of 2021 come up, where Log4j2 kept the teams on their toes. However, it’s not quite that bad in comparison to last year, the patches are available and just need to be applied.
Note 3239475 listed as CVE-2022-41267 resolves a vulnerability in the SAP Business Object Platform. No workarounds are known so far. The correction is done by installing a support package.
At 3273480 comes another note with priority Hot News that fixes a vulnerability in SAP Process Integration. The associated CVE is CVE-2022-41272. Due to insufficient authentication, an attacker with network access may be able to exploit a user-defined search (UDS). It is also noted that there is no workaround, however SAP points out that specific prerequisites must be met in order for the attack to be successful.
An Apache component allows remote code execution in SAP Commerce. This vulnerability is fixed in note 3271523. Again, this correction has been given a priority rating of 9.8, i.e., Hot News. SAP Commerce uses a version of the open source java library Apache Commons Text that contains a flaw with CVE-2022-42889. In this case SAP points to a workaround.
The last of our four hot news releases today is advisory 3267780, which also resolves a vulnerability in SAP process Integration. An unauthenticated attacker can connect to an open interface to perform unauthorized operations. The vulnerability is listed as CVE-2022-41271. The vulnerability is fixed via a support package, which is filed in the Security Note. For more information, see also the Knowledge Base article number 3271729.
Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.
Summary by Severity
The December release contains a total of 17 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
4 |
|
High
|
4 |
|
Medium
|
9 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 3265173 | [CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent) Priority: Correction with medium priority Released on: 13.12.2022 Components: SV-SMG-DIA-SRV-AGT Category: Program error |
Medium | 6,0 |
| 3258950 | Update 1 to Security Note 2872782 - [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP
(BSP Test Application) Priority: Correction with medium priority Released on: 13.12.2022 Components: BC-BSP Category: Program error |
Medium | 6,1 |
| 3267780 | [CVE-2022-41271] Improper access control in SAP NetWeaver Process Integration (Messaging
System) Priority: HotNews Released on: 13.12.2022 Components: BC-XI-CON-MSG Category: Program error |
Hot News | 9,4 |
| 3271313 | [CVE-2022-41275] Offener Redirect in SAP Solutions Manager (Enterprise Search) Priority: Correction with medium priority Released on: 13.12.2022 Components: BC-EIM-ESH Category: Program error |
Medium | 6,1 |
| 3239475 | [CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence
Platform Priority: HotNews Released on: 13.12.2022 Components: BI-BIP-SRV Category: Program error |
Hot News | 9,9 |
| 3266846 | [CVE-2022-41274] Missing Authorization Checks in SAP Disclosure Management Priority: Correction with medium priority Released on: 13.12.2022 Components: EPM-DSM-GEN Category: Program error |
Medium | 6,5 |
| 3262544 | [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider
Service) Priority: Correction with medium priority Released on: 13.12.2022 Components: BC-JAS-WEB Category: Program error |
Medium | 6,1 |
| 3273480 | [CVE-2022-41272] Improper access control in SAP NetWeaver Process Integration (User Defined
Search) Priority: HotNews Released on: 13.12.2022 Components: BC-XI-CON-UDS Category: Program error |
Hot News | 9,9 |
| 3248255 | [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce Priority: Correction with high priority Released on: 13.12.2022 Components: CEC-COM-CPS Category: Program error |
High | 8,0 |
| 3249648 | [CVE-2022-41263] Missing authentication check vulnerability in SAP Business Objects Business Intelligence
Platform (Web intelligence) Priority: Correction with medium priority Released on: 13.12.2022 Components: BI-RA-WBI Category: Program error |
Medium | 4,3 |
| 3271523 | Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce Priority: HotNews Released on: 13.12.2022 Components: CEC-COM-CPS-COR Category: Program error |
Hot News | 9,8 |
| 3271091 | [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation Priority: Correction with high priority Released on: 13.12.2022 Components: EPM-BPC-NW Category: Program error |
High | 8,5 |
| 3268172 | [CVE-2022-41264] Code Injection vulnerability in SAP BASIS Priority: Correction with high priority Released on: 13.12.2022 Components: BC-DB-HDB-POR Category: Program error |
High | 8,8 |
| 3270399 | [CVE-2022-41273] URL Redirection vulnerability in SAP Sourcing and SAP Contract Lifecycle
Management Priority: Correction with medium priority Released on: 13.12.2022 Components: SRM-ESO-SEC Category: Program error |
Medium | 4,3 |
| 2872782 | [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP – Business Server Pages Test
Application IT00 Priority: Correction with medium priority Released on: 14.04.2020 Components: BC-BSP Category: Program error |
Medium | 6,1 |
| 3234755 | Information Disclosure vulnerability in Master Data Governance Priority: Correction with medium priority Released on: 11.10.2022 Components: CA-MDG-APP-CUS Category: Program error |
Medium | 4,3 |
| 3229132 | [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
(Program Objects) Priority: Correction with high priority Released on: 11.10.2022 Components: BI-BIP-ADM Category: Program error |
High | 8,2 |