Skip to content

SAP Security Patch Day – October 2022

SAP security Patch day

October 11th is not only the monthly SAP Security Patch Day. It is also the 1st day of the annual DSAG conference, this year taking place in Leipzig. The German-speaking SAP user community will meet in Leipzig from 11-13 October, and the topic of the SAP Security Dashboard is coming back. A holistic overview of current and actual vulnerabilities manifested in security events, including a reliable overview of relevant and pending SAP Security Patches, has been desired by SAP customers for many years. So, the desired dashboard would show 15 new SAP security notes for the October SAP Security Patch Day. Ideally, only those Notes applicable to the customer landscape would show as pending implementation. This would make patching considerably easier for customers, as manual checking for all systems is time-consuming and often prone to errors.

SecurityBridge customers already have access to a patch management dashboard, which is desired and demanded by many companies running SAP. Looking at the corrections released in October’s Patch Day, the dashboard is useful to quickly triage and coordinate patching based on the SAP products you have installed.

SAP Security Patches October 2022

From September 14th to October 11th, 22 SAP security patches were released or updated. Seventeen notes (15 new and two updates) were officially assigned to the October Patch Day by the SAP Response Team.

With a CVSS of 9.9, note 3242933 classifies as a “Hot News” priority. SAP corrects a file path traversal vulnerability in SAP Manufacturing Execution. However, there is one more “Hot News” note (CVSS 9.6), a patch dealing with a clickjacking vulnerability in the SAP Commerce login form ( SNote 3239152 ). Customers using the affected SAP products should take immediate action because, according to our experts, the existing vulnerabilities pose a direct exploitation risk.

We should be concerned about five other corrections for vulnerabilities with a high-priority classification. Users of the SAP 3D Visual Enterprise and SAP BusinessObjects products are affected. For a complete list of released SAP security patches, please see our overview below:

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The October release contains a total of 17 patches for the following severities:

SeverityNumber
Hot News
2
High
5
Medium
10
NoteDescriptionSeverityCVSS
3239293[CVE-2022-39015] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform(AdminTools/ Query Builder)
Priority: Correction with high priority
Released on: 11.10.2022
Components: BI-BIP-ADM
Category: Program error
High7,7
3229425[CVE-2022-41206] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform / Analysis for OLAP
Priority: Correction with medium priority
Released on: 11.10.2022
Components: BI-RA-AWB
Category: Program error
Medium5,4
3229132[CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects)
Priority: Correction with high priority
Released on: 11.10.2022
Components: BI-BIP-ADM
Category: Program error
High8,2
3211161[CVE-2022-39800] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI LaunchPad)
Priority: Correction with medium priority
Released on: 11.10.2022
Components: BI-BIP-INV
Category: Program error
Medium6,1
3248970[CVE-2022-41209] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya)
Priority: Correction with medium priority
Released on: 11.10.2022
Components: CEC-PRO-GIY
Category: Program error
Medium4,9
3248384[CVE-2022-41210] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya)
Priority: Correction with medium priority
Released on: 11.10.2022
Components: CEC-PRO-GIY
Category: Program error
Medium4,9
3245929[Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Author
Priority: Correction with high priority
Released on: 11.10.2022
Components: CA-VE-VEA
Category: Program error
High7,0
3245928[Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Viewer
Priority: Correction with high priority
Released on: 11.10.2022
Components: CA-VE-VEV
Category: Program error
High7,0
3242933[CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution
Priority: HotNews
Released on: 11.10.2022
Components: MFG-ME
Category: Program error
Hot News9,9
3202523Cross-Site Scripting (XSS) vulnerability in SAP Commerce
Priority: Correction with medium priority
Released on: 11.10.2022
Components: CEC-COM-CPS
Category: Program error
Medium6,1
3049899[CVE-2022-35297] Stored Cross-Site Scripting (XSS) vulnerability in SAP Enable Now
Priority: Correction with medium priority
Released on: 11.10.2022
Components: KM-SEN-MGR
Category: Upgrade information
Medium6,5
3167342[CVE-2022-35226] Cross-Site Scripting (XSS) vulnerability in Data Services Management Console
Priority: Correction with medium priority
Released on: 11.10.2022
Components: EIM-DS-SVR
Category: Program error
Medium4,8
3239152[CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form
Priority: HotNews
Released on: 11.10.2022
Components: CEC-COM-CPS
Category: Program error
Hot News9,6
3234755Information Disclosure vulnerability in Master Data Governance
Priority: Correction with medium priority
Released on: 11.10.2022
Components: CA-MDG-APP-CUS
Category: Program error
Medium4,3
3233226[CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System)
Priority: Correction with medium priority
Released on: 11.10.2022
Components: BI-BIP-LCM
Category: Program error
Medium6,8
3232021[CVE-2022-35299] Buffer Overflow in SAP SQL Anywhere and SAP IQ
Priority: Correction with high priority
Released on: 11.10.2022
Components: BC-SYB-SQA
Category: Program error
High8,1
3150454Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BC-MID-RFC
Category: Program error
Medium4,9

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on demand is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
SAP Security Services
SAP Cybersecurity- Security News
Many companies have recognized the need for SAP cybersecurity, but many have also realized that they cannot accomplish this alone. There are many reasons for this. It can be due to the internal teams' workload or due to the employee's level of knowledge. However, there is a solution that neither burdens your internal staff nor demands additional knowledge. A specialized managed SAP Security Service allows you to harden mission-critical systems, detect and promptly counteract non-compliance, and implement monitoring with accurate anomaly detection.
Patch Management
SAP security provider SecurityBridge—now operating in the U.S.—today announced the full integration of its SAP Security Platform with the Microsoft Sentinel cloud-native Security Information and Event Manager (SIEM) platform and its membership to MISA. SecurityBridge was nominated to MISA because of the integration of its SAP Controller to the Microsoft Sentinel dashboard. SecurityBridge is a Smart Data Adapter that significantly simplifies security monitoring of critical and highly specific business applications.
Angriffserkennung für SAP
SAP Cybersecurity- SAP Identity and Authorization- SAP Threat Monitoring- Security News
Viele unserer Leserinnen und Leser erinnern sich noch an den 25. Mai 2018, Stichtag der bindenden Einführung der Datenschutzgrundverordnung, kurz DSGVO. Verstöße gegen die neue Regelung können seitdem zu drakonischen Strafen führen. Nun steht, zumindest für diejenigen Unternehmen, die zur kritischen Infrastruktur (KRITIS) von Deutschland zählen, ein ähnlicher Termin ins Haus. Am 1. Mai 2023 müssen betroffene Unternehmen ein System zur Angriffserkennung eingeführt haben.
SAP Cybersecurity Risks
SAP Cybersecurity- SAP Security Framework- Security News
Recently, we gave an insight into the known SAP attackers in our blog. Of course, it can already be deduced from this that there are internal and external SAP attackers. That is why today, we want to look at this from an SAP cybersecurity risk perspective.