Skip to content

SAP Security Patch Day – November 2022

SAP security Patch day

Today, November 8th, 2022, SAP releases security fixes for their product portfolio for the penultimate time this year as part of November SAP Security Patch Day. SAP released 10 patches and updated 2 security notes from the previous Patch Day.

The following article describes how to use the Expert Search if you encounter a different number in SAP’s Support Launchpad’s Security Notes application.

The Expert Search shows 14 Security Patches between the recent SAP Security Patch Day and the November release.

Have you ever wondered why SAP Security Patch installation can’t be as easy as you’re used to with Windows Update? Join our webinar on November 10th at 3 pm CETSenior Cybersecurity Analyst at Lonza will talk about his experiences with SAP Cybersecurity and our CTO Ivan Mans will show how SecurityBridge Patch Management can ease your life and significantly increase your system security.

SAP Security Patches November 2022

In this section, you will find a summary of the highlights, i.e., the SAP Security Notes for which we recommend quick action. At the same time, you should check all Security Notes for updates, including those already implemented. Unfortunately, it also happens that SAP experts update a previous fix outside the regular SAP Patch Day.

A large number of SAP customers may be affected by note 3256571, which addresses several vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform. The corrected SAP vulnerabilities are implemented with CVSS 8.7.

SAP Business Objects Intelligence Platform has received a fix with Hot News (CVSS 9.9). We recommend that you check the note with the number 3243924 for relevance. An authenticated attacker can inject malicious content with relatively low privileges. This could highly compromise the system’s confidentiality, integrity, and availability. The experts at SAP also publish workaround instructions. If you can’t install the patch mentioned in the note in the short term, we recommend you check the workaround and use it temporarily if necessary.

Customers using SAPUI5 but not one of the following library versions: 1.71.51, 1.84.29, 1.96.14, 1.102.8, 1.105.2 should take a closer look at note 3249990 [CVE-2021-20223]. The CVE number 2021 suggests that the vulnerability mentioned has existed for some time. Therefore, affected customers must ask themselves whether the vulnerability was exploited unnoticed. A particularly high risk exists for scenarios where the SAP Fiori /SAPUI5 user interface is exposed in untrusted networks.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The November release contains a total of 10 patches for the following severities:

SeverityNumber
Hot News
2
High
2
Medium
6
NoteDescriptionSeverityCVSS
3251202[CVE-2022-41215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
Priority: Correction with medium priority
Released on: 08.11.2022
Components: BC-MID-ICF
Category: Program error
Medium4,7
3218159Insufficient Session Expiration in Central Fiori Launchpad
Priority: Correction with medium priority
Released on: 08.11.2022
Components: CA-FLP-FE-COR
Category: Program error
Medium6,1
3263436[CVE-2022-41211] Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer
Priority: Correction with high priority
Released on: 08.11.2022
Components: CA-VE-VEA
Category: Program error
High7,0
3243924[CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad)
Priority: HotNews
Released on: 08.11.2022
Components: BI-RA-WBI-FE
Category: Program error
Hot News9,9
3249990[CVE-2021-20223] Multiple Vulnerabilities in SQlite bundled with SAPUI5
Priority: HotNews
Released on: 08.11.2022
Components: CA-UI5-VTK-VIT
Category: Program error
Hot News9,8
3229987[CVE-2022-41259] Denial of service (DOS) in SAP SQL Anywhere
Priority: Correction with medium priority
Released on: 08.11.2022
Components: BC-SYB-SQA
Category: Program error
Medium6,5
3238042[CVE-2022-41207] URL Redirection vulnerability in SAP Biller Direct
Priority: Correction with medium priority
Released on: 08.11.2022
Components: FIN-FSCM-BD
Category: Program error
Medium6,1
3237251[CVE-2022-41205] Code injection vulnerability in SAP GUI for Windows
Priority: Correction with medium priority
Released on: 08.11.2022
Components: BC-FES-GUI
Category: Program error
Medium5,5
3256571[CVE-2022-41214] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with high priority
Released on: 08.11.2022
Components: BC-CTS-TMS
Category: Program error
High8,7
3260708[CVE-2022-41258] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation
Priority: Correction with medium priority
Released on: 08.11.2022
Components: EPM-BFC-TCL-ADM-SEC
Category: Program error
Medium6,5

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on demand is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
SAP Security Services
SAP Cybersecurity- Security News
Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams' workload or due to the employee's level of knowledge. However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.
Patch Management
SAP security provider SecurityBridge—now operating in the U.S.—today announced the full integration of its SAP Security Platform with the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform and its membership to MISA. SecurityBridge was nominated to MISA because of the integration of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data Adapter that significantly simplifies security monitoring of critical and highly specific business applications.
Angriffserkennung für SAP
SAP Cybersecurity- SAP Identity and Authorization- SAP Threat Monitoring- Security News
Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.
SAP Cybersecurity Risks
SAP Cybersecurity- SAP Security Framework- Security News
Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.