SAP Security Patch Day – July 2022

SAP security Patch day

Tuesday 12th July 2022 is yet another SAP Security Patch Day. The SAP Response Team releases corrections and instructions to address vulnerabilities across the SAP SE product portfolio. This patching Tuesday SAP released 22 security updates. The complete list with direct links to the SAP Support Portal can be found below.

SAP Security Patches June 2022

A quick glance at the July list shows that no SAP vulnerabilities were fixed that are considered Hot News. In SAP parlance, “Hot News” is used for all fixes that have a CVSS between 9.1 and 10. That’s good news for now!

Nevertheless, we can’t avoid taking a closer look at the publications. By the way, all SAP customers should do this, even if it requires some time and expert knowledge month after month. In July, we see 4 advisories with severity level High, 17 with severity Medium and one classified as a Low severity – summing up to total of 19 corrections, which awaited our review.

Highlights

Today we can start with what we do not find. Namely, we miss our old acquaintance the security updates in the Google Chromium Engine of the SAP Business Client, which was always rated with CVSS 10. Especially customers using the products SAP NetWeaver Enterprise Portal and SAP BusinessObjects should pay attention to this SAP Security Patch Day, because most of the fixes are related to these SAP products.

SAP NetWeaver Enterprise Portal

SAP NetWeaver Portal also known as Enterprise Portal (EP) is one of the components of the NetWeaver architecture. The on-premise SAP portal solution offers a single point of access to SAP information sources inside your organization. The Enterprise Portal can be accessed from desktops and from mobile devices such as smartphones or tablets.

We count a total of 6 security corrections that deal with Cross-Site Scripting (XSS) vulnerabilities in SAP NetWeaver Enterprise Portal. Since this solution communicates not only internally, but also in unprotected networks, we strongly recommend you check the fixes that have been rated with CVSS 6.1. Not necessary to emphasize that the public accessible SAP NetWeaver Enterprise Portal must be prioritized. Threat actors can find such SAP instances using a simple Goolge-Search query “inurl:/irj/portal” as described on the Exploit-Database page.

SAP BusinessObjects

Business Objects was purchased by SAP in 2007.  SAP BO is often used to create high level reports based on the interaction (Interactive reports) generated by using dashboards and score cards. Typically, the report data is sourced from SAP Business Warehouse (BW).

Again, we count 6 fixes that revolve around SAP BusinessObjects (BO). Among them also the one with the highest severity (8.3), SNote 3221288: Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console). For the most part, “information disclosure” vulnerabilities are corrected. But what does information disclosure mean?

Information disclosure, also known as information leakage, occurs when an application or website unintentionally discloses sensitive information to its users. Depending on the context, especially enterprise critical SAP applications can disclose all sorts of information to a potential attacker, including

  • Data about users and business partners including financial information
  • Sensitive commercial data and trade secrets
  • but also technical details about the application or infrastructure.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The July release contains a total of 22 patches for the following severities:

Severity Number
Hot News
0
High
4
Medium
17
Low
1
Note Description Severity CVSS
3220746 [CVE-2022-35171] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Priority: Correction with low priority
Released on: 12.07.2022
Components: CA-VE-VEV
Category: Program error
Low 3,3
3216161 [CVE-2022-32248] Missing Input Validation in Manage Checkbooks component of SAP S/4HANA
Priority: Correction with medium priority
Released on: 12.07.2022
Components: FI-FIO-AP
Category: Program error
Medium 4,3
3213826 [CVE-2022-31597] Missing Authorization check in SAP S/4HANA(business partner extension for Spain/Slovakia)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: FI-LOC-FI-ES
Category: Correction of legal function
Medium 5,4
3212997 [CVE-2022-32249] Information Disclosure vulnerability in SAP Business One
Priority: Correction with high priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
High 7,6
3211760 [CVE-2022-35227] Cross-Site Scripting (XSS) vulnerability in SAP NW EP WPC
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-WPC
Category: Program error
Medium 6,1
3211203 [CVE-2022-35168] Denial of Service vulnerability in SAP Business One
Priority: Correction with medium priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
Medium 4,3
3210779 [CVE-2022-35224] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-GPA
Category: Program error
Medium 6,1
3209557 [CVE-2022-32247] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-TOL
Category: Program error
Medium 6,1
3208880 [CVE-2022-35225] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-PRT
Category: Program error
Medium 6,1
3208819 [CVE-2022-35170] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-AI
Category: Program error
Medium 6,1
3207902 [CVE-2022-35172] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-URL
Category: Program error
Medium 6,1
3157613 [CVE-2022-28771] Missing Authentication check in SAP Business One (License service API)
Priority: Correction with high priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
High 7,5
3196280 [CVE-2022-31592] Missing Authorization check in EA-DFPS
Priority: Correction with medium priority
Released on: 12.07.2022
Components: IS-DFS-MM
Category: Program error
Medium 4,3
3191012 [CVE-2022-31593] Code Injection vulnerability in SAP Business One
Priority: Correction with high priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
High 7,4
3169239 [CVE-2022-29619] Information Disclosure to user Administrator in SAP BusinessObjects Business Intelligence Platform 4.x
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-ADM
Category: Program error
Medium 6,5
3167430 [CVE-2022-31591] Privilege Escalation vulnerability in SAP BusinessObjects (BW Publisher Service)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-IK-PAR-SAP
Category: Program error
Medium 5,6
3221288 [CVE-2022-35228] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)
Priority: Correction with high priority
Released on: 12.07.2022
Components: BI-BIP-CMC
Category: Program error
High 8,3
3213279 [CVE-2022-31598] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-CMC
Category: Program error
Medium 5,4
3203079 [CVE-2022-32246] SQL Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Visual Difference Application)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-VD
Category: Program error
Medium 5,4
3194361 [CVE-2022-35169] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (LCM)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-SRV
Category: Program error
Medium 6,0
3150454 Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BC-MID-RFC
Category: Program error
Medium 4,9
3150463 Information Disclosure vulnerability in ABAP Platform
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BC-MID-RFC
Category: Program error
Medium 4,9

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

SecurityBridge joins NTT Data’s Cybersecurity for SAP Webinar

Whether your business critical SAP landscape is traditional on-prem, in one or more clouds, or even the latest RISE with SAP, you are accountable for ensuring it is secured against rapidly increasing cyber threats. Join this webinar to learn why SAP application security is critical and how you can stay in control and protect your business.
SAP security Patch day
August 9, 2022, is the time for the SAP Security Patch Day, this time in parallel to the black 2022 cyber security conference, the SAP Response team has released 7 patches this Tuesday.
SAP Security Solutions
Security News
The application security market is obscure and holds one or two surprises for those looking for an SAP security solution. Cybersecurity solutions for SAP help customers understand the ever-growing threat landscape and protect themselves effectively. In this article, we would like to discuss some points you should focus on when looking for a security solution for SAP.
SAP Debugger
The SAP Debugger, also known as the ABAP Debugger, is one of the most important development tools offered by SAP. An ABAP developer or a technical SAP consultant uses it to analyze problems or to simulate program flows. Usually, the debugger is simply used to understand a certain behavior in SAP ERP and to identify or understand customizing options.
cbs and securitybridge for SAP
cbs Corporate Business Solutions, a premium management consultancy, and cloud services provider with a focus on the manufacturing industry, and SecurityBridge, the leading provider of an SAP Security platform solution, have announced a partnership to meet the growing demand for comprehensive and reliable service offerings in the field of SAP Security for international SAP clients.