Skip to content

SAP Security Patch Day – September 2022

SAP security Patch day

September 13th, 2022 – This means another SAP Security Patch Day on the calendar of SAP customers. It may be a coincidence but today is also the Day of the Programmer. Everyone was waiting for the next patch day, especially because the August edition was moderate in comparison. Many expected the worst. However, it didn’t get quite that bad.

SAP Security Patches September 2022

Today’s SAP Security Patch Day September 2022 release contains 8 new security advisories and 5 updates which sums up to a total of 13, according to SAP’s counting method

SAP Security Patch Day September 2022 PDF

However, when we check the SAP Security Portal -like we all do- we find 14 notes.

SAP Security Patch Day-Sept22-Portal

At the same time, we noticed that the well-known and continuously updated note 2622660 for the Google Chromium engine in the SAP Business Client in the SAP Security Portal wasn’t assigned to today’s release date. Our theory is that the SAP experts forgot to update the “Released On” date in the portal at the time of publication.

All notes having a “First Released On” and a “Released On” date back up our theory. The first timestamp is assigned by SAP staff when the note sees the light of day. The latter one is updated whenever the note receives an update.

Unfortunately, the saying “Many roads lead to Rome” does not apply to SAP Security Notes because you get different results via the various paths. By the way, the correct result is 16 because 16 SAP security patches were released today. You can find the complete list in our article.

It is important to check and apply the correct notes or patches. If you overlook a security fix, you can put your company at unnecessary risk. In this article we explain how to use the SAP OneLaunchpad Expert search

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The September release contains a total of 16 patches for the following severities:

SeverityNumber
Hot News
1
High
6
Medium
9
NoteDescriptionSeverityCVSS
2622660Update to Security Note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: Hot News priority
Released on: 23.08.2022
Components: BC-FES-BUS-DSK
Category: Program error
Hot News10,0
3102769Update to Security Note released on December 2021 Patch Day:[CVE-2021-42063]Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse
Priority: Correction with high priority priority
Released on: 23.08.2022
Components: KM-KW-HTA
Category: Program error
High8,8
3223392[CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One
Priority: Correction with high priority
Released on: 13.09.2022
Components: SBO-CRO-SEC
Category: Program error
High7,8
3219164[CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC)
Priority: Correction with medium priority
Released on: 13.09.2022
Components: EP-KM-FWK-CF
Category: Program error
Medium6,1
3217303[CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC)
Priority: Correction with high priority
Released on: 13.09.2022
Components: BI-BIP-SRV
Category: Program error
High7,7
3159736[CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix
Priority: Correction with medium priority
Released on: 13.09.2022
Components: BC-CCM-MON-OS
Category: Program error
Medium6,7
3198137Update 1 to Security Note 3165333 - [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
Priority: Correction with medium priority
Released on: 13.09.2022
Components: BC-MID-ICF
Category: Program error
Medium4,7
3126968Information Disclosure vulnerability in SAP CRM WebClient
Priority: Correction with medium priority
Released on: 13.09.2022
Components: CA-WUI-UI-TAG
Category: Program error
Medium4,3
2998510[CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update
Priority: Correction with high priority
Released on: 10.05.2022
Components: BI-BIP-INS
Category: Program error
High7,8
3237075[CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management
Priority: Correction with high priority
Released on: 13.09.2022
Components: GRC-SAC-EAM
Category: Program error
High7,1
3229820[CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad)
Priority: Correction with medium priority
Released on: 13.09.2022
Components: BC-FES-WGU
Category: Program error
Medium6,1
3226411[CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS)
Priority: Correction with high priority
Released on: 26.07.2022
Components: LOD-SF-EC
Category: Program error
High8,1
2634023Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN
Priority: Correction with medium priority
Released on: 13.09.2022
Components: QM-QN
Category: Program error
Medium6,3
3218177[CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP
Priority: Correction with medium priority
Released on: 13.09.2022
Components: BC-FES-WGU
Category: Program error
Medium5,4
3165333[CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
Priority: Correction with medium priority
Released on: 12.04.2022
Components: BC-MID-ICF
Category: Program error
Medium4,7
3150454Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BC-MID-RFC
Category: Program error
Medium4,9

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Which cybersecurity framework is the best fit for SAP application security?” to learn more about the available frameworks, the challenges when adopting a framework, and more.

SecurityBridge at the DSAG Technologietage 2023

SecurityBridge will be attending the DSAG Technologietage 2023 from March 22nd-23rd at the Congress Center Rosengarten in Mannheim.
SAP Cyber risk
SAP Cybersecurity- Security News
Businesses must be more cautious to protect themselves from cyber threats as digitalization and the use of SAP systems increase. SAP S/4HANA is critical for many enterprises as it provides the foundation for business operations. As digitalization and Industry 4.0 continue to increase, SAP S/4HANA lays the foundation for many modern business scenarios. SAP systems are important for many industries and their security is a major concern, making them vulnerable to cyber attackers. This article will discuss cyber risks and how you can assess your individual and organizational SAP systems' risks. What are cyber risks?
Common SAP Patches
SAP Cybersecurity- SAP Patch Management- SAP Security Patch Day- Security News
Installing SAP patches is crucial for maintaining a robust and secure enterprise resource planning (ERP) system. SAP, one of the leading ERP systems in the world, is constantly evolving to meet the changing needs of businesses. As a result, SAP releases various patches to address issues and enhance the functionality of its software. However, installing SAP patches can present challenges for IT teams, such as ensuring minimal disruption to business operations, managing risks, and testing the non-implemented patches. This article will discuss the three most common types of SAP patches- kernel patches, snote patches, and support packs - and the best practices for installing them.
SAP interfaces
SAP Cybersecurity- SAP Interface- Security News
In this blog article, we will explore the importance of SAP interface security and discuss the various measures businesses can take to protect their systems and data. We will also examine some common threats to SAP interfaces and how to mitigate them. To safeguard your business, you need to understand the importance of SAP interface security and take steps to make your interfaces secure. 
SAP security Patch day
10th January 2023 SAP response team sends some Happy New Year greeting to the SAP Security Teams, by releasing 10 SAP Security Notes.