Chapters
Share Article
SAP clients should monitor the release of SAP security updates, which have been published on 14th June 2022. This month’s release counts 12 security patches. This includes two notes that have been updated.
SAP Security Patches June 2022
We are committed to helping our customers become proactive. In terms of security updates, this means establishing an effective process for emergency fixes, but also knowing when such an update has been released. In addition, we recommend taking other measures that limit the impact of a missing fix.
Highlights
In June, SAP released an update for a Security Note in April 2018. The Note has a CVSS Score of 10 and should be implemented immediately if you use the SAP Business Client in version 6.5.
Also noteworthy is that the SAProuter possibly has an improper Access Control. As described in Note 3158375, it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform, from a remote client, for example, stopping the SAProuter, which could highly impact systems availability, depending on the configuration of the route permission table in file “saprouttab”. For security reasons, SAP generally recommends avoiding wildcards (*) for the target host and the target port in “P” and “S” entries in the route permission table.
Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.
Summary by Severity
The June release contains a total of 12 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
1 |
|
High
|
2 |
|
Medium
|
7 |
|
Low
|
2 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client Priority: HotNews Released on: 10.04.2018 Components: BC-FES-BUS-DSK Category: Program error |
Hot News | 10,0 |
| 3206271 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer Priority: Correction with medium priority Released on: 14.06.2022 Components: CA-VE-VEV Category: Program error |
Medium | 6,5 |
| 3158815 | [CVE-2022-31595] Privilege escalation vulnerability in SAP Financial Consolidation Priority: Correction with medium priority Released on: 14.06.2022 Components: EPM-BFC-PRO Category: Program error |
Medium | 5,0 |
| 3158619 | [CVE-2022-29614] Privilege Escalation in SAP startservice of SAP NetWeaver AS ABAP, AS Java, ABAP Platform
and HANA Database Priority: Correction with medium priority Released on: 14.06.2022 Components: BC-CST-STS Category: Program error |
Medium | 4,9 |
| 3158375 | [CVE-2022-27668] Improper Access Control of SAProuter for SAP NetWeaver and ABAP Platform Priority: Correction with high priority Released on: 14.06.2022 Components: BC-CST-NI Category: Program error |
High | 8,6 |
| 3155571 | [CVE-2022-31594] Privilege escalation vulnerability in SAP Adaptive Server Enterprise (ASE) Priority: Correction with low priority Released on: 14.06.2022 Components: BC-DB-SYB Category: Program error |
Low | 3,2 |
| 3202846 | [CVE-2022-29615] Multiple vulnerabilities associated with Apache log4j 1.x component in SAP NetWeaver
Developer Studio (NWDS) Priority: Correction with low priority Released on: 14.06.2022 Components: BC-DWB-JAV-COR Category: Program error |
Low | 3,4 |
| 3197927 | [CVE-2022-29618] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure
(Design Time Repository) Priority: Correction with medium priority Released on: 14.06.2022 Components: BC-CTS-DTR Category: Program error |
Medium | 6,1 |
| 3197005 | [CVE-2022-31590] Potential privilege escalation in SAP PowerDesigner Proxy 16.7 Priority: Correction with high priority Released on: 14.06.2022 Components: BC-SYB-PD Category: Program error |
High | 7,8 |
| 3194674 | [CVE-2022-29612] Server-Side Request Forgery in SAP NetWeaver, ABAP Platform and SAP Host Agent Priority: Correction with medium priority Released on: 14.06.2022 Components: BC-CST-STS Category: Program error |
Medium | 5,0 |
| 3165801 | [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP
Platform Priority: Correction with medium priority Released on: 10.05.2022 Components: BC-ABA-LI Category: Program error |
Medium | 6,5 |
| 3203065 | [CVE-2022-31589] Segregation of Duty vulnerability in IL FI-AP File from SHAAM program. Priority: Correction with medium priority Released on: 14.06.2022 Components: FI-LOC-FI-IL-AP Category: Program error |
Medium | 5,0 |