SAP Security Patch Day – January 2022

SAP Patchday

On January 11, 2022, we celebrate the first SAP Security Patch Day of the year. We wish all those responsible for securing SAP a good and secure start in 2022. Unfortunately, the new year begins as the old year ended, with even more SAP vulnerabilities.

Log4j - Still a major concern?

Yesterday SAP published consolidated January patches, same as every 2nd Tuesday of a month. After the Log4j vulnerability, which also went by the name Log4Shell, most companies have been on tenterhooks. SAP has been publishing a collective advisory note, 3131047, titled “Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component”. It combines all fixes and recommendations in one central location. This is not only a very convenient approach for customers, it also highlights how far-reaching the impact of the vulnerability is, also for SAP customers.

Note 3131047 now contains 20 additional correction instructions and references 19 notes describing a possible workaround. We have been following the releases and updates in details. With SecurityBridge Patch Management our customers have an optimal solution at hand to be informed promptly about the release and the relevance of a security fix.

If you follow our blog regularly, you will already know that we run a dedicated Log4j Newsticker.

The severity and danger posed by the Log4j 2 vulnerability should not be underestimated. Especially when exploitation guidance is published, an existing vulnerability becomes a major threat. After Log4j denied the security team and SAP experts enjoying a quiet holiday season, most of the fixes and mitigations actions should already be implemented. If you need help with this or need to pull in additional SAP expert advice, feel free to contact us.

Highlights (other than Log4j)

Unfortunately, the January SAP Patch Day not only deals with Log4j vulnerabilities . Besides collective note 3131047, 8 more security notes have been published. You should now also check these to understand if there is any relevance for your SAP system landscape.

(SNote 3112928) All customers using S4/HANA and the Create Single Payment application should take a look at this fix. Due to the vulnerability, it cannot be ensured that uploaded files are sufficiently checked and thus the possibility for attackers to possibly even introduce ransomware could arise.

(SNote 3123196) This correction updates a note previously published in December. We strongly recommend that you update the affected systems to prevent code from being injected.

(SNote 3124597) A medium rating is given for a vulnerability in SAP’s own Enterprise Threat Detection Product, that allows the attacker to make malicious entries using cross-site scripting.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The January release contains a total of 9 patches for the following severities:

Severity Number
Hot News
1
High
2
Medium
5
Low
5
Note Description Severity CVSS
3131047 [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 componentConsolidated Security Note list  (Product: Security Note #)SAP Customer Checkout: 3133772 SAP BTP Cloud Foundry: 3130578SAP Landscape Management: 3132198SAP Connected Health Platform 2.0 - Fhirserver: 3131824SAP HANA XS Advanced Cockpit : 3134531 (includes fix provided in 3131397, 3132822)SAP NetWeaver Process Integration (Java Web Service Adapter) : 3135581 (includes fix provided in 3132204, 3130521, 3133005)SAP HANA XS Advanced : 3131258Internet of Things Edge Platform : 3132922SAP BTP Kyma : 3132744SAP Enable Now Manager : 3132964SAP Cloud for Customer (add-in for Lotus notes client) : 3132074SAP Localization Hub, digital compliance service for India : 3132177SAP Edge Services On Premise Edition : 3132909SAP Edge Services Cloud Edition : 3132515SAP BTP API Management (Tenant Cloning Tool) : 3132162SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0) : 3131691SAP Digital Manufacturing Cloud for Edge Computing : 3136094SAP Enterprise Continuous Testing by Tricentis :  3134139SAP Cloud-to-Cloud Interoperability : 3132058Reference Template for enabling ingestion and persistence of time series data in Azure : 3136988SAP Business One : 3131740
Hot News
10
3112928 [CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANAAdditional CVE - CVE-2022-22530
Product - SAP S/4HANA, Versions - 100, 101, 102, 103, 104, 105, 106
High
8.7
3123196 Update to Security Note released on December 2021 Patch Day:[CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP
Product - SAP NetWeaver AS ABAP, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
High
8.4
3101299 [CVE-2021-42066] Information Disclosure vulnerability in SAP Business One
Product - SAP Business One, Version - 10
Medium
6.6
3106528 [CVE-2021-44234] Information Disclosure vulnerability in SAP Business One
Product - SAP Business One, Version - 10
Medium
6.5
3124597 [CVE-2022-22529] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection
Product - SAP Enterprise Threat Detection, Version - 2.0
Medium
6.1
3112710 [CVE-2022-42067] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786
Medium
4.3
3121165 Update to Security Note released on December 2021 Patch Day:[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise ViewerCVEs - CVE-2021-42068,CVE-2021-42070, CVE-2021-42069, CVE-2021-42069
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium
4.3
3080816 Update to Security Note released on December 2021 Patch Day:[CVE-2021-44233] Missing Authorization check in GRC Access Control
Product - SAP GRC Access Control, Versions - V1100_700, V1100_731, V1200_750
Low
2.4

Source

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Meet us at ASUG Carolinas Chapter Meeting 2022

Come and meet us! On June 24, 2022 the US team of SecurityBridge will be at the ASUG Carolinas Chapter Meeting 2022. We are silver sponsor of the event and present with an exhibition table.
The Federal Republic is attempting to make critical infrastructure resilient to cyber-attacks by proactively identifying vulnerabilities and implementing measures to protect attractive targets.
how to spot anomalies in SAP
How to reliably detect suspicious actions from within the huge mass of SAP systems and user activity? In this article, we’ll tell you what’s needed to detect anomalies in SAP's log stack and put them into context to find cyber-attacks.