Skip to content

SAP Security Patch Day – December 2022

SAP security Patch day

Today, December 13rd, 2022, is another day for SAP to release security updates for its wide-ranging product portfolio. The enterprise applications from Walldorf help companies to carry out their critical business transactions. This makes it all the more important to keep these software components continuously up-to-date. In any case, customers must try to promptly implement security-relevant updates and thereby comply with any legal requirements.

If you’ve ever wondered why SAP patching doesn’t work as easily as Windows updates, you should definitely watch our recorded webinar. In the recording you will learn how our customer Lonza, successfully deploys the SecurityBridge solution and SecurityBridge CTO, Ivan Mans, shows the patch management solution all SAP customers want.

 

SAP Security Patches December 2022

Today SAP released 14 new SAP security updates, as well as 4 updates from previous releases. The patch day in December stands out because again 4 SAP patches have been released with the priority Hot News. In addition, there are another 5 patches with the priority High. So unfortunately everything else than a contemplative pre-Christmas period for those responsible for SAP patching. Many will probably have looked forward to a quiet pre-Christmas period. Now memories of the past Christmas of 2021 come up, where Log4j2 kept the teams on their toes. However, it’s not quite that bad in comparison to last year, the patches are available and just need to be applied.

Note 3239475 listed as CVE-2022-41267 resolves a vulnerability in the SAP Business Object Platform. No workarounds are known so far. The correction is done by installing a support package.

At 3273480 comes another note with priority Hot News that fixes a vulnerability in SAP Process Integration. The associated CVE is CVE-2022-41272. Due to insufficient authentication, an attacker with network access may be able to exploit a user-defined search (UDS). It is also noted that there is no workaround, however SAP points out that specific prerequisites must be met in order for the attack to be successful.

An Apache component allows remote code execution in SAP Commerce. This vulnerability is fixed in note 3271523. Again, this correction has been given a priority rating of 9.8, i.e., Hot News. SAP Commerce uses a version of the open source java library Apache Commons Text that contains a flaw with CVE-2022-42889. In this case SAP points to a workaround.

The last of our four hot news releases today is advisory 3267780, which also resolves a vulnerability in SAP process Integration. An unauthenticated attacker can connect to an open interface to perform unauthorized operations. The vulnerability is listed as CVE-2022-41271. The vulnerability is fixed via a support package, which is filed in the Security Note. For more information, see also the Knowledge Base article number 3271729.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The December release contains a total of 17 patches for the following severities:

SeverityNumber
Hot News
4
High
4
Medium
9
NoteDescriptionSeverityCVSS
3265173[CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: SV-SMG-DIA-SRV-AGT
Category: Program error
Medium6,0
3258950Update 1 to Security Note 2872782 - [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP (BSP Test Application)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-BSP
Category: Program error
Medium6,1
3267780[CVE-2022-41271] Improper access control in SAP NetWeaver Process Integration (Messaging System)
Priority: HotNews
Released on: 13.12.2022
Components: BC-XI-CON-MSG
Category: Program error
Hot News9,4
3271313[CVE-2022-41275] Offener Redirect in SAP Solutions Manager (Enterprise Search)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-EIM-ESH
Category: Program error
Medium6,1
3239475[CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform
Priority: HotNews
Released on: 13.12.2022
Components: BI-BIP-SRV
Category: Program error
Hot News9,9
3266846[CVE-2022-41274] Missing Authorization Checks in SAP Disclosure Management
Priority: Correction with medium priority
Released on: 13.12.2022
Components: EPM-DSM-GEN
Category: Program error
Medium6,5
3262544[CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-JAS-WEB
Category: Program error
Medium6,1
3273480[CVE-2022-41272] Improper access control in SAP NetWeaver Process Integration (User Defined Search)
Priority: HotNews
Released on: 13.12.2022
Components: BC-XI-CON-UDS
Category: Program error
Hot News9,9
3248255[CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce
Priority: Correction with high priority
Released on: 13.12.2022
Components: CEC-COM-CPS
Category: Program error
High8,0
3249648[CVE-2022-41263] Missing authentication check vulnerability in SAP Business Objects Business Intelligence Platform (Web intelligence)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BI-RA-WBI
Category: Program error
Medium4,3
3271523Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce
Priority: HotNews
Released on: 13.12.2022
Components: CEC-COM-CPS-COR
Category: Program error
Hot News9,8
3271091[CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation
Priority: Correction with high priority
Released on: 13.12.2022
Components: EPM-BPC-NW
Category: Program error
High8,5
3268172[CVE-2022-41264] Code Injection vulnerability in SAP BASIS
Priority: Correction with high priority
Released on: 13.12.2022
Components: BC-DB-HDB-POR
Category: Program error
High8,8
3270399[CVE-2022-41273] URL Redirection vulnerability in SAP Sourcing and SAP Contract Lifecycle Management
Priority: Correction with medium priority
Released on: 13.12.2022
Components: SRM-ESO-SEC
Category: Program error
Medium4,3
2872782[CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP – Business Server Pages Test Application IT00
Priority: Correction with medium priority
Released on: 14.04.2020
Components: BC-BSP
Category: Program error
Medium6,1
3234755Information Disclosure vulnerability in Master Data Governance
Priority: Correction with medium priority
Released on: 11.10.2022
Components: CA-MDG-APP-CUS
Category: Program error
Medium4,3
3229132[CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects)
Priority: Correction with high priority
Released on: 11.10.2022
Components: BI-BIP-ADM
Category: Program error
High8,2

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Which cybersecurity framework is the best fit for SAP application security?” to learn more about the available frameworks, the challenges when adopting a framework, and more.

SecurityBridge at the DSAG Technologietage 2023

SecurityBridge will be attending the DSAG Technologietage 2023 from March 22nd-23rd at the Congress Center Rosengarten in Mannheim.
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.