SAP Security Patch Day – January 2022
On January 11, 2022, we celebrate the first SAP Security Patch Day of the year. We wish all those responsible for securing SAP a good and secure start in 2022. Unfortunately, the new year begins as the old year ended, with even more SAP vulnerabilities.
Log4j - Still a major concern?
Yesterday SAP published consolidated January patches, same as every 2nd Tuesday of a month. After the Log4j vulnerability, which also went by the name Log4Shell, most companies have been on tenterhooks. SAP has been publishing a collective advisory note, 3131047, titled “Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component”. It combines all fixes and recommendations in one central location. This is not only a very convenient approach for customers, it also highlights how far-reaching the impact of the vulnerability is, also for SAP customers.
Note 3131047 now contains 20 additional correction instructions and references 19 notes describing a possible workaround. We have been following the releases and updates in details. With SecurityBridge Patch Management our customers have an optimal solution at hand to be informed promptly about the release and the relevance of a security fix.
The severity and danger posed by the Log4j 2 vulnerability should not be underestimated. Especially when exploitation guidance is published, an existing vulnerability becomes a major threat. After Log4j denied the security team and SAP experts enjoying a quiet holiday season, most of the fixes and mitigations actions should already be implemented. If you need help with this or need to pull in additional SAP expert advice, feel free to contact us.
Highlights (other than Log4j)
Unfortunately, the January SAP Patch Day not only deals with Log4j vulnerabilities . Besides collective note 3131047, 8 more security notes have been published. You should now also check these to understand if there is any relevance for your SAP system landscape.
(SNote 3112928) All customers using S4/HANA and the Create Single Payment application should take a look at this fix. Due to the vulnerability, it cannot be ensured that uploaded files are sufficiently checked and thus the possibility for attackers to possibly even introduce ransomware could arise.
(SNote 3123196) This correction updates a note previously published in December. We strongly recommend that you update the affected systems to prevent code from being injected.
(SNote 3124597) A medium rating is given for a vulnerability in SAP’s own Enterprise Threat Detection Product, that allows the attacker to make malicious entries using cross-site scripting.
Summary by Severity
The January release contains a total of 9 patches for the following severities: