Skip to content

SAP Security Patch Day – June 2022

SAP security Patch day

SAP clients should monitor the release of SAP security updates, which have been published on 14th June 2022. This month’s release counts 12 security patches. This includes two notes that have been updated.

SAP Security Patches June 2022

We are committed to helping our customers become proactive. In terms of security updates, this means establishing an effective process for emergency fixes, but also knowing when such an update has been released. In addition, we recommend taking other measures that limit the impact of a missing fix.

Highlights

In June, SAP released an update for a Security Note in April 2018. The Note has a CVSS Score of 10 and should be implemented immediately if you use the SAP Business Client in version 6.5.

Also noteworthy is that the SAProuter possibly has an improper Access Control. As described in Note 3158375, it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform, from a remote client, for example, stopping the SAProuter, which could highly impact systems availability, depending on the configuration of the route permission table in file “saprouttab”. For security reasons, SAP generally recommends avoiding wildcards (*) for the target host and the target port in “P” and “S” entries in the route permission table.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The June release contains a total of 12 patches for the following severities:

SeverityNumber
Hot News
1
High
2
Medium
7
Low
2
NoteDescriptionSeverityCVSS
2622660Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: HotNews
Released on: 10.04.2018
Components: BC-FES-BUS-DSK
Category: Program error
Hot News10,0
3206271[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Priority: Correction with medium priority
Released on: 14.06.2022
Components: CA-VE-VEV
Category: Program error
Medium6,5
3158815[CVE-2022-31595] Privilege escalation vulnerability in SAP Financial Consolidation
Priority: Correction with medium priority
Released on: 14.06.2022
Components: EPM-BFC-PRO
Category: Program error
Medium5,0
3158619[CVE-2022-29614] Privilege Escalation in SAP startservice of SAP NetWeaver AS ABAP, AS Java, ABAP Platform and HANA Database
Priority: Correction with medium priority
Released on: 14.06.2022
Components: BC-CST-STS
Category: Program error
Medium4,9
3158375[CVE-2022-27668] Improper Access Control of SAProuter for SAP NetWeaver and ABAP Platform
Priority: Correction with high priority
Released on: 14.06.2022
Components: BC-CST-NI
Category: Program error
High8,6
3155571[CVE-2022-31594] Privilege escalation vulnerability in SAP Adaptive Server Enterprise (ASE)
Priority: Correction with low priority
Released on: 14.06.2022
Components: BC-DB-SYB
Category: Program error
Low3,2
3202846[CVE-2022-29615] Multiple vulnerabilities associated with Apache log4j 1.x component in SAP NetWeaver Developer Studio (NWDS)
Priority: Correction with low priority
Released on: 14.06.2022
Components: BC-DWB-JAV-COR
Category: Program error
Low3,4
3197927[CVE-2022-29618] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Development Infrastructure (Design Time Repository)
Priority: Correction with medium priority
Released on: 14.06.2022
Components: BC-CTS-DTR
Category: Program error
Medium6,1
3197005[CVE-2022-31590] Potential privilege escalation in SAP PowerDesigner Proxy 16.7
Priority: Correction with high priority
Released on: 14.06.2022
Components: BC-SYB-PD
Category: Program error
High7,8
3194674[CVE-2022-29612] Server-Side Request Forgery in SAP NetWeaver, ABAP Platform and SAP Host Agent
Priority: Correction with medium priority
Released on: 14.06.2022
Components: BC-CST-STS
Category: Program error
Medium5,0
3165801[CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 10.05.2022
Components: BC-ABA-LI
Category: Program error
Medium6,5
3203065[CVE-2022-31589] Segregation of Duty vulnerability in IL FI-AP File from SHAAM program.
Priority: Correction with medium priority
Released on: 14.06.2022
Components: FI-LOC-FI-IL-AP
Category: Program error
Medium5,0

Posted by

Till Pleyer
Find recent Security Advisories for SAP©
Download the White Paper “Which cybersecurity framework is the best fit for SAP application security?” to learn more about the available frameworks, the challenges when adopting a framework, and more.

SecurityBridge at the DSAG Technologietage 2023

SecurityBridge will be attending the DSAG Technologietage 2023 from March 22nd-23rd at the Congress Center Rosengarten in Mannheim.
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.