Skip to content

SAP Security Patch Day – January 2022

SAP security Patch day

On January 11, 2022, we celebrate the first SAP Security Patch Day of the year. We wish all those responsible for securing SAP a good and secure start in 2022. Unfortunately, the new year begins as the old year ended, with even more SAP vulnerabilities.

Log4j - Still a major concern?

Yesterday SAP published consolidated January patches, same as every 2nd Tuesday of a month. After the Log4j vulnerability, which also went by the name Log4Shell, most companies have been on tenterhooks. SAP has been publishing a collective advisory note, 3131047, titled “Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component”. It combines all fixes and recommendations in one central location. This is not only a very convenient approach for customers, it also highlights how far-reaching the impact of the vulnerability is, also for SAP customers.

Note 3131047 now contains 20 additional correction instructions and references 19 notes describing a possible workaround. We have been following the releases and updates in details. With SecurityBridge Patch Management our customers have an optimal solution at hand to be informed promptly about the release and the relevance of a security fix.

If you follow our blog regularly, you will already know that we run a dedicated Log4j Newsticker.

The severity and danger posed by the Log4j 2 vulnerability should not be underestimated. Especially when exploitation guidance is published, an existing vulnerability becomes a major threat. After Log4j denied the security team and SAP experts enjoying a quiet holiday season, most of the fixes and mitigations actions should already be implemented. If you need help with this or need to pull in additional SAP expert advice, feel free to contact us.

Highlights (other than Log4j)

Unfortunately, the January SAP Patch Day not only deals with Log4j vulnerabilities . Besides collective note 3131047, 8 more security notes have been published. You should now also check these to understand if there is any relevance for your SAP system landscape.

(SNote 3112928) All customers using S4/HANA and the Create Single Payment application should take a look at this fix. Due to the vulnerability, it cannot be ensured that uploaded files are sufficiently checked and thus the possibility for attackers to possibly even introduce ransomware could arise.

(SNote 3123196) This correction updates a note previously published in December. We strongly recommend that you update the affected systems to prevent code from being injected.

(SNote 3124597) A medium rating is given for a vulnerability in SAP’s own Enterprise Threat Detection Product, that allows the attacker to make malicious entries using cross-site scripting.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The January release contains a total of 9 patches for the following severities:

SeverityNumber
Hot News
1
High
2
Medium
5
Low
5
NoteDescriptionSeverityCVSS
3131047[CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 componentConsolidated Security Note list  (Product: Security Note #)SAP Customer Checkout: 3133772 SAP BTP Cloud Foundry: 3130578SAP Landscape Management: 3132198SAP Connected Health Platform 2.0 - Fhirserver: 3131824SAP HANA XS Advanced Cockpit : 3134531 (includes fix provided in 3131397, 3132822)SAP NetWeaver Process Integration (Java Web Service Adapter) : 3135581 (includes fix provided in 3132204, 3130521, 3133005)SAP HANA XS Advanced : 3131258Internet of Things Edge Platform : 3132922SAP BTP Kyma : 3132744SAP Enable Now Manager : 3132964SAP Cloud for Customer (add-in for Lotus notes client) : 3132074SAP Localization Hub, digital compliance service for India : 3132177SAP Edge Services On Premise Edition : 3132909SAP Edge Services Cloud Edition : 3132515SAP BTP API Management (Tenant Cloning Tool) : 3132162SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0) : 3131691SAP Digital Manufacturing Cloud for Edge Computing : 3136094SAP Enterprise Continuous Testing by Tricentis :  3134139SAP Cloud-to-Cloud Interoperability : 3132058Reference Template for enabling ingestion and persistence of time series data in Azure : 3136988SAP Business One : 3131740
Hot News
10
3112928[CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANAAdditional CVE - CVE-2022-22530
Product - SAP S/4HANA, Versions - 100, 101, 102, 103, 104, 105, 106
High
8.7
3123196Update to Security Note released on December 2021 Patch Day:[CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP
Product - SAP NetWeaver AS ABAP, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
High
8.4
3101299[CVE-2021-42066] Information Disclosure vulnerability in SAP Business One
Product - SAP Business One, Version - 10
Medium
6.6
3106528[CVE-2021-44234] Information Disclosure vulnerability in SAP Business One
Product - SAP Business One, Version - 10
Medium
6.5
3124597[CVE-2022-22529] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection
Product - SAP Enterprise Threat Detection, Version - 2.0
Medium
6.1
3112710[CVE-2022-42067] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786
Medium
4.3
3121165Update to Security Note released on December 2021 Patch Day:[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise ViewerCVEs - CVE-2021-42068,CVE-2021-42070, CVE-2021-42069, CVE-2021-42069
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium
4.3
3080816Update to Security Note released on December 2021 Patch Day:[CVE-2021-44233] Missing Authorization check in GRC Access Control
Product - SAP GRC Access Control, Versions - V1100_700, V1100_731, V1200_750
Low
2.4

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on demand is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
SAP Security Services
SAP Cybersecurity- Security News
Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams' workload or due to the employee's level of knowledge. However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.
Patch Management
SAP security provider SecurityBridge—now operating in the U.S.—today announced the full integration of its SAP Security Platform with the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform and its membership to MISA. SecurityBridge was nominated to MISA because of the integration of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data Adapter that significantly simplifies security monitoring of critical and highly specific business applications.
Angriffserkennung für SAP
SAP Cybersecurity- SAP Identity and Authorization- SAP Threat Monitoring- Security News
Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.
SAP Cybersecurity Risks
SAP Cybersecurity- SAP Security Framework- Security News
Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.