SAP Security Patch Day – May 2022

SAP security Patch day

SAP customers need to pay attention to the release of the SAP security updates, which have been published on 10th May 2022. This months SAP Security Patch Day covers 13 (+2) patches that should be carefully reviewed.

SAP Security Patches May 2022

We are committed to helping our customers become proactive. In terms of security updates, this means establishing an effective process for emergency fixes, but also knowing when such an update has been released. In addition, we recommend taking other measures that limit the impact of a missing fix.

Highlights

In the May Patch Day, an update of the central note for Spring4Shell and another patch for the Web Dispatcher/Internet Communication Manager jumps out at us.

What has happened in terms of Spring4Shell?
Note 3170990 summarizes all security notes related to CVE-2022-22965. A new advisory has been added, 3189409 – [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Business One Cloud.

We would also like to point out that the notes 3189635 (published on 14.04.2022) and 3171258 (published on 18.04.2022) were published after the April patch day. So if you only pay attention to the SAP Patch Day notes, you might have missed them!

This time, too, the focus is on the SAP Web Dispatcher or the Internet Communication Manager (ICM). These components are so popular with attackers because they control access to the integrated webserver. It is not uncommon these components can be accessed from the outside, which is why a timely update is highly recommended. Please note the following security patch with CVSS 8.3 of 10: 3145046 – [CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in the administration UI of SAP Web Dispatcher and SAP Netweaver AS for ABAP and Java (ICM)

Notes 3165801 (Missing Authorization check in SAP NetWeaver Application Server for ABAP) and 3145702 (Memory Corruption vulnerability in SAP Host Agent, SAP NetWeaver, and ABAP Platform) also close existing vulnerabilities in widely used SAP components and should therefore be noted.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The May release contains a total of 15 patches for the following severities:

Severity Number
Hot News
4
High
2
Medium
9
Note Description Severity CVSS
3170990 [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework
Priority: HotNews
Released on: 12.04.2022
Components: XX-SER-SN
Category: Program error
Hot News 9,8
2998510 [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update
Priority: Correction with high priority
Released on: 10.05.2022
Components: BI-BIP-INS
Category: Program error
High 7,8
2756188 Cross-Site Request Forgery (CSRF) vulnerability in F0673 Approve Bank Payments front-end
Priority: Correction with medium priority
Released on: 10.05.2022
Components: FI-FIO-AP
Category: Program error
Medium 6,3
2754555 Cross-Site Request Forgery (CSRF) vulnerability in F0673 Approve Bank Payments back-end
Priority: Correction with medium priority
Released on: 10.05.2022
Components: FI-FIO-AP
Category: Program error
Medium 6,3
3165801 [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 10.05.2022
Components: BC-ABA-LI
Category: Program error
Medium 6,5
3164677 [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request)
Priority: Correction with medium priority
Released on: 10.05.2022
Components: PA-FIO-LEA
Category: Program error
Medium 6,5
3158188 [CVE-2022-28774] Information Disclosure vulnerability in SAP Host Agent logfile
Priority: Correction with medium priority
Released on: 10.05.2022
Components: BC-CCM-HAG
Category: Program error
Medium 5,3
3189409 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in in SAP Business One Cloud
Priority: HotNews
Released on: 10.05.2022
Components: SBO-CRO-SEC
Category: Program error
Hot News 9,8
3146336 [CVE-2022-29610] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP
Priority: Correction with medium priority
Released on: 10.05.2022
Components: CA-UI2-THD
Category: Program error
Medium 5,4
3145702 [CVE-2022-29616] Memory Corruption vulnerability in SAP Host Agent, SAP NetWeaver and ABAP Platform
Priority: Correction with medium priority
Released on: 10.05.2022
Components: BC-CST-MS
Category: Program error
Medium 5,3
3145046 [CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in administration UI of SAP Webdispatcher and SAP Netweaver AS for ABAP and Java (ICM)
Priority: Correction with high priority
Released on: 10.05.2022
Components: BC-CST-WDP
Category: Program error
High 8,3
3143161 Missing Authorization check for UI5 flexibility key user functionality
Priority: Correction with medium priority
Released on: 10.05.2022
Components: CA-UI5-FL-LRP
Category: Program error
Medium 4,3
3165333 [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
Priority: Correction with medium priority
Released on: 12.04.2022
Components: BC-MID-ICF
Category: Program error
Medium 4,7
3171258 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Commerce
Priority: HotNews
Released on: 18.04.2022
Components: CEC-COM-CPS-WEB
Category: Program error
Hot News 9,8
3189635 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Profitability Analytics
Priority: HotNews
Released on: 14.04.2022
Components: IS-T-MA
Category: Program error
Hot News 9,8

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on 05.10.2022, is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.