Skip to content

SAP Security Patch Day – July 2022

SAP security Patch day

Tuesday 12th July 2022 is yet another SAP Security Patch Day. The SAP Response Team releases corrections and instructions to address vulnerabilities across the SAP SE product portfolio. This patching Tuesday SAP released 22 security updates. The complete list with direct links to the SAP Support Portal can be found below.

SAP Security Patches June 2022

A quick glance at the July list shows that no SAP vulnerabilities were fixed that are considered Hot News. In SAP parlance, “Hot News” is used for all fixes that have a CVSS between 9.1 and 10. That’s good news for now!

Nevertheless, we can’t avoid taking a closer look at the publications. By the way, all SAP customers should do this, even if it requires some time and expert knowledge month after month. In July, we see 4 advisories with severity level High, 17 with severity Medium and one classified as a Low severity – summing up to total of 19 corrections, which awaited our review.

Highlights

Today we can start with what we do not find. Namely, we miss our old acquaintance the security updates in the Google Chromium Engine of the SAP Business Client, which was always rated with CVSS 10. Especially customers using the products SAP NetWeaver Enterprise Portal and SAP BusinessObjects should pay attention to this SAP Security Patch Day, because most of the fixes are related to these SAP products.

SAP NetWeaver Enterprise Portal

SAP NetWeaver Portal also known as Enterprise Portal (EP) is one of the components of the NetWeaver architecture. The on-premise SAP portal solution offers a single point of access to SAP information sources inside your organization. The Enterprise Portal can be accessed from desktops and from mobile devices such as smartphones or tablets.

We count a total of 6 security corrections that deal with Cross-Site Scripting (XSS) vulnerabilities in SAP NetWeaver Enterprise Portal. Since this solution communicates not only internally, but also in unprotected networks, we strongly recommend you check the fixes that have been rated with CVSS 6.1. Not necessary to emphasize that the public accessible SAP NetWeaver Enterprise Portal must be prioritized. Threat actors can find such SAP instances using a simple Goolge-Search query “inurl:/irj/portal” as described on the Exploit-Database page.

SAP BusinessObjects

Business Objects was purchased by SAP in 2007.  SAP BO is often used to create high level reports based on the interaction (Interactive reports) generated by using dashboards and score cards. Typically, the report data is sourced from SAP Business Warehouse (BW).

Again, we count 6 fixes that revolve around SAP BusinessObjects (BO). Among them also the one with the highest severity (8.3), SNote 3221288: Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console). For the most part, “information disclosure” vulnerabilities are corrected. But what does information disclosure mean?

Information disclosure, also known as information leakage, occurs when an application or website unintentionally discloses sensitive information to its users. Depending on the context, especially enterprise critical SAP applications can disclose all sorts of information to a potential attacker, including

  • Data about users and business partners including financial information
  • Sensitive commercial data and trade secrets
  • but also technical details about the application or infrastructure.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The July release contains a total of 22 patches for the following severities:

SeverityNumber
Hot News
0
High
4
Medium
17
Low
1
NoteDescriptionSeverityCVSS
3220746[CVE-2022-35171] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Priority: Correction with low priority
Released on: 12.07.2022
Components: CA-VE-VEV
Category: Program error
Low3,3
3216161[CVE-2022-32248] Missing Input Validation in Manage Checkbooks component of SAP S/4HANA
Priority: Correction with medium priority
Released on: 12.07.2022
Components: FI-FIO-AP
Category: Program error
Medium4,3
3213826[CVE-2022-31597] Missing Authorization check in SAP S/4HANA(business partner extension for Spain/Slovakia)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: FI-LOC-FI-ES
Category: Correction of legal function
Medium5,4
3212997[CVE-2022-32249] Information Disclosure vulnerability in SAP Business One
Priority: Correction with high priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
High7,6
3211760[CVE-2022-35227] Cross-Site Scripting (XSS) vulnerability in SAP NW EP WPC
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-WPC
Category: Program error
Medium6,1
3211203[CVE-2022-35168] Denial of Service vulnerability in SAP Business One
Priority: Correction with medium priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
Medium4,3
3210779[CVE-2022-35224] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-GPA
Category: Program error
Medium6,1
3209557[CVE-2022-32247] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-TOL
Category: Program error
Medium6,1
3208880[CVE-2022-35225] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-PRT
Category: Program error
Medium6,1
3208819[CVE-2022-35170] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-AI
Category: Program error
Medium6,1
3207902[CVE-2022-35172] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-URL
Category: Program error
Medium6,1
3157613[CVE-2022-28771] Missing Authentication check in SAP Business One (License service API)
Priority: Correction with high priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
High7,5
3196280[CVE-2022-31592] Missing Authorization check in EA-DFPS
Priority: Correction with medium priority
Released on: 12.07.2022
Components: IS-DFS-MM
Category: Program error
Medium4,3
3191012[CVE-2022-31593] Code Injection vulnerability in SAP Business One
Priority: Correction with high priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
High7,4
3169239[CVE-2022-29619] Information Disclosure to user Administrator in SAP BusinessObjects Business Intelligence Platform 4.x
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-ADM
Category: Program error
Medium6,5
3167430[CVE-2022-31591] Privilege Escalation vulnerability in SAP BusinessObjects (BW Publisher Service)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-IK-PAR-SAP
Category: Program error
Medium5,6
3221288[CVE-2022-35228] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)
Priority: Correction with high priority
Released on: 12.07.2022
Components: BI-BIP-CMC
Category: Program error
High8,3
3213279[CVE-2022-31598] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-CMC
Category: Program error
Medium5,4
3203079[CVE-2022-32246] SQL Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Visual Difference Application)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-VD
Category: Program error
Medium5,4
3194361[CVE-2022-35169] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (LCM)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-SRV
Category: Program error
Medium6,0
3150454Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BC-MID-RFC
Category: Program error
Medium4,9
3150463Information Disclosure vulnerability in ABAP Platform
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BC-MID-RFC
Category: Program error
Medium4,9

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on demand is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
SAP Security Services
SAP Cybersecurity- Security News
Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams' workload or due to the employee's level of knowledge. However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.
Patch Management
SAP security provider SecurityBridge—now operating in the U.S.—today announced the full integration of its SAP Security Platform with the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform and its membership to MISA. SecurityBridge was nominated to MISA because of the integration of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data Adapter that significantly simplifies security monitoring of critical and highly specific business applications.
Angriffserkennung für SAP
SAP Cybersecurity- SAP Identity and Authorization- SAP Threat Monitoring- Security News
Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.
SAP Cybersecurity Risks
SAP Cybersecurity- SAP Security Framework- Security News
Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.