Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

SAP Security Patch Day – June 2022

SAP security Patch day

SAP clients should monitor the release of SAP security updates, which have been published on 14th June 2022. This month’s release counts 12 security patches. This includes two notes that have been updated.

SAP Security Patches June 2022

We are committed to helping our customers become proactive. In terms of security updates, this means establishing an effective process for emergency fixes, but also knowing when such an update has been released. In addition, we recommend taking other measures that limit the impact of a missing fix.

Highlights

In June, SAP released an update for a Security Note in April 2018. The Note has a CVSS Score of 10 and should be implemented immediately if you use the SAP Business Client in version 6.5.

Also noteworthy is that the SAProuter possibly has an improper Access Control. As described in Note 3158375, it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform, from a remote client, for example, stopping the SAProuter, which could highly impact systems availability, depending on the configuration of the route permission table in file “saprouttab”. For security reasons, SAP generally recommends avoiding wildcards (*) for the target host and the target port in “P” and “S” entries in the route permission table.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Request a Demo

Summary by Severity

The June release contains a total of 12 patches for the following severities:

Severity Number
Hot News
 1
High
 2
Medium
 7
Low
 2
Note Description Severity CVSS
2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error		 Hot News 10,0
3206271 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Priority: Correction with medium priority
Released on: 14.06.2022
Components: CA-VE-VEV
Category: Program error		 Medium 6,5
3158815 [CVE-2022-31595] Privilege escalation vulnerability in SAP Financial Consolidation
Priority: Correction with medium priority
Released on: 14.06.2022
Components: EPM-BFC-PRO
Category: Program error		 Medium 5,0
3158619 [CVE-2022-29614] Privilege Escalation in SAP startservice of SAP NetWeaver AS ABAP, AS Java, ABAP Platform and HANA Database
Priority: Correction with medium priority
Released on: 14.06.2022
Components: BC-CST-STS
Category: Program error		 Medium 4,9
3158375 [CVE-2022-27668] Improper Access Control of SAProuter for SAP NetWeaver and ABAP Platform
Priority: Correction with high priority
Released on: 14.06.2022
Components: BC-CST-NI
Category: Program error 		High 8,6
3155571 [CVE-2022-31594] Privilege escalation vulnerability in SAP Adaptive Server Enterprise (ASE)
Priority: Correction with low priority
Released on: 14.06.2022
Components: BC-DB-SYB
Category: Program error 		Low 3,2
3202846 [CVE-2022-29615] Multiple vulnerabilities associated with Apache log4j 1.x component in SAP NetWeaver Developer Studio (NWDS)
Priority: Correction with low priority
Released on: 14.06.2022
Components: BC-DWB-JAV-COR
Category: Program error		 Low 3,4
3197927 [CVE-2022-29618] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Design Time Repository)
Priority: Correction with medium priority
Released on: 14.06.2022
Components: BC-CTS-DTR
Category: Program error		 Medium 6,1
3197005 [CVE-2022-31590] Potential privilege escalation in SAP PowerDesigner Proxy 16.7
Priority: Correction with high priority
Released on: 14.06.2022
Components: BC-SYB-PD
Category: Program error		 High 7,8
3194674 [CVE-2022-29612] Server-Side Request Forgery in SAP NetWeaver, ABAP Platform and SAP Host Agent
Priority: Correction with medium priority
Released on: 14.06.2022
Components: BC-CST-STS
Category: Program error		 Medium 5,0
3165801 [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 10.05.2022
Components: BC-ABA-LI
Category: Program error		 Medium 6,5
3203065 [CVE-2022-31589] Segregation of Duty vulnerability in IL FI-AP File from SHAAM program.
Priority: Correction with medium priority
Released on: 14.06.2022
Components: FI-LOC-FI-IL-AP
Category: Program error		 Medium 5,0

Posted by

Till Pleyer
Find recent Security Advisories for SAP©
View Advisory for May'22
White Paper - Bridging the Gap How SecurityBridge Supports NIST CSF in SAP Environments
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
DSAG Jahreskongress 2023

DSAG-Jahreskongress 2023

Alles verändert sich, nichts bleibt wie es ist, die heutige Zeit setzt Flexibilität voraus. Entsprechend wandelbar präsentieren sich DSAG, SAP und das gesamte Ökosystem. Diese Wandlungsfähigkeit steht auch im Fokus des DSAG-Jahreskongress 2023 vom 19.-21. September 2023 in Bremen. Unter dem Motto „Wunderbar wandelbar – Gemeinsam neue Perspektiven schaffen“ freut sich die DSAG wieder darauf, mehr als 5.000 Teilnehmende zu begrüßen. Wagen Sie gemeinsam mit der Interessenvertretung den Blick durch das Kaleidoskop und finden Sie den richtigen Dreh, um zu neuen Blickwinkeln zu gelangen und Veränderungen zu gestalten.
Learn more
SAP security Patch day

SAP Security Patch Day – May 2023

SAP Security Patch Day
Today is another SAP Security Patch Day. In May 2023, the SAP Response Team released 20 SAP Security Notes, including Evergreen 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client with HotNews priority. Besides two updated Notes, SAP Security Patch Day May 2023, contains 18 new security updates for the vast SAP Product portfolio while the majority relates to SAP Business Objects.
SAP ABAP Directory Traversal Vulnerability

SAP ABAP Directory Traversal Vulnerability: Risks and Solutions

SAP Vulnerability
SAP developers know that ABAP/4 (Advanced Business Application Programming) is not immune to security vulnerabilities like any other programming language. One significant security risk associated with SAP ABAP is directory traversal vulnerability. In this blog post, we will discuss what a directory traversal vulnerability is, why it is a problem for SAP customers, how it can be exploited, and what measures to take to prevent it.