Skip to content

SAP Security Patch Day – May 2022

SAP security Patch day

SAP customers need to pay attention to the release of the SAP security updates, which have been published on 10th May 2022. This months SAP Security Patch Day covers 13 (+2) patches that should be carefully reviewed.

SAP Security Patches May 2022

We are committed to helping our customers become proactive. In terms of security updates, this means establishing an effective process for emergency fixes, but also knowing when such an update has been released. In addition, we recommend taking other measures that limit the impact of a missing fix.

Highlights

In the May Patch Day, an update of the central note for Spring4Shell and another patch for the Web Dispatcher/Internet Communication Manager jumps out at us.

What has happened in terms of Spring4Shell?
Note 3170990 summarizes all security notes related to CVE-2022-22965. A new advisory has been added, 3189409 – [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Business One Cloud.

We would also like to point out that the notes 3189635 (published on 14.04.2022) and 3171258 (published on 18.04.2022) were published after the April patch day. So if you only pay attention to the SAP Patch Day notes, you might have missed them!

This time, too, the focus is on the SAP Web Dispatcher or the Internet Communication Manager (ICM). These components are so popular with attackers because they control access to the integrated webserver. It is not uncommon these components can be accessed from the outside, which is why a timely update is highly recommended. Please note the following security patch with CVSS 8.3 of 10: 3145046 – [CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in the administration UI of SAP Web Dispatcher and SAP Netweaver AS for ABAP and Java (ICM)

Notes 3165801 (Missing Authorization check in SAP NetWeaver Application Server for ABAP) and 3145702 (Memory Corruption vulnerability in SAP Host Agent, SAP NetWeaver, and ABAP Platform) also close existing vulnerabilities in widely used SAP components and should therefore be noted.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The May release contains a total of 15 patches for the following severities:

SeverityNumber
Hot News
4
High
2
Medium
9
NoteDescriptionSeverityCVSS
3170990[CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework
Priority: HotNews
Released on: 12.04.2022
Components: XX-SER-SN
Category: Program error
Hot News9,8
2998510[CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update
Priority: Correction with high priority
Released on: 10.05.2022
Components: BI-BIP-INS
Category: Program error
High7,8
2756188Cross-Site Request Forgery (CSRF) vulnerability in F0673 Approve Bank Payments front-end
Priority: Correction with medium priority
Released on: 10.05.2022
Components: FI-FIO-AP
Category: Program error
Medium6,3
2754555Cross-Site Request Forgery (CSRF) vulnerability in F0673 Approve Bank Payments back-end
Priority: Correction with medium priority
Released on: 10.05.2022
Components: FI-FIO-AP
Category: Program error
Medium6,3
3165801[CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 10.05.2022
Components: BC-ABA-LI
Category: Program error
Medium6,5
3164677[CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request)
Priority: Correction with medium priority
Released on: 10.05.2022
Components: PA-FIO-LEA
Category: Program error
Medium6,5
3158188[CVE-2022-28774] Information Disclosure vulnerability in SAP Host Agent logfile
Priority: Correction with medium priority
Released on: 10.05.2022
Components: BC-CCM-HAG
Category: Program error
Medium5,3
3189409[CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in in SAP Business One Cloud
Priority: HotNews
Released on: 10.05.2022
Components: SBO-CRO-SEC
Category: Program error
Hot News9,8
3146336[CVE-2022-29610] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP
Priority: Correction with medium priority
Released on: 10.05.2022
Components: CA-UI2-THD
Category: Program error
Medium5,4
3145702[CVE-2022-29616] Memory Corruption vulnerability in SAP Host Agent, SAP NetWeaver and ABAP Platform
Priority: Correction with medium priority
Released on: 10.05.2022
Components: BC-CST-MS
Category: Program error
Medium5,3
3145046[CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in administration UI of SAP Webdispatcher and SAP Netweaver AS for ABAP and Java (ICM)
Priority: Correction with high priority
Released on: 10.05.2022
Components: BC-CST-WDP
Category: Program error
High8,3
3143161Missing Authorization check for UI5 flexibility key user functionality
Priority: Correction with medium priority
Released on: 10.05.2022
Components: CA-UI5-FL-LRP
Category: Program error
Medium4,3
3165333[CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
Priority: Correction with medium priority
Released on: 12.04.2022
Components: BC-MID-ICF
Category: Program error
Medium4,7
3171258[CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Commerce
Priority: HotNews
Released on: 18.04.2022
Components: CEC-COM-CPS-WEB
Category: Program error
Hot News9,8
3189635[CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Profitability Analytics
Priority: HotNews
Released on: 14.04.2022
Components: IS-T-MA
Category: Program error
Hot News9,8

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Which cybersecurity framework is the best fit for SAP application security?” to learn more about the available frameworks, the challenges when adopting a framework, and more.

SecurityBridge at the DSAG Technologietage 2023

SecurityBridge will be attending the DSAG Technologietage 2023 from March 22nd-23rd at the Congress Center Rosengarten in Mannheim.
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.