SAP Security Patch Day – September 2022

SAP security Patch day

September 13th, 2022 – This means another SAP Security Patch Day on the calendar of SAP customers. It may be a coincidence but today is also the Day of the Programmer. Everyone was waiting for the next patch day, especially because the August edition was moderate in comparison. Many expected the worst. However, it didn’t get quite that bad.

SAP Security Patches September 2022

Today’s SAP Security Patch Day September 2022 release contains 8 new security advisories and 5 updates which sums up to a total of 13, according to SAP’s counting method

SAP Security Patch Day September 2022 PDF

However, when we check the SAP Security Portal -like we all do- we find 14 notes.

SAP Security Patch Day-Sept22-Portal

At the same time, we noticed that the well-known and continuously updated note 2622660 for the Google Chromium engine in the SAP Business Client in the SAP Security Portal wasn’t assigned to today’s release date. Our theory is that the SAP experts forgot to update the “Released On” date in the portal at the time of publication.

All notes having a “First Released On” and a “Released On” date back up our theory. The first timestamp is assigned by SAP staff when the note sees the light of day. The latter one is updated whenever the note receives an update.

Unfortunately, the saying “Many roads lead to Rome” does not apply to SAP Security Notes because you get different results via the various paths. By the way, the correct result is 16 because 16 SAP security patches were released today. You can find the complete list in our article.

It is important to check and apply the correct notes or patches. If you overlook a security fix, you can put your company at unnecessary risk.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The September release contains a total of 16 patches for the following severities:

Severity Number
Hot News
1
High
6
Medium
9
Note Description Severity CVSS
2622660 Update to Security Note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client
Priority: Hot News priority
Released on: 23.08.2022
Components: BC-FES-BUS-DSK
Category: Program error
Hot News 10,0
3102769 Update to Security Note released on December 2021 Patch Day:[CVE-2021-42063]Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse
Priority: Correction with high priority priority
Released on: 23.08.2022
Components: KM-KW-HTA
Category: Program error
High 8,8
3223392 [CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One
Priority: Correction with high priority
Released on: 13.09.2022
Components: SBO-CRO-SEC
Category: Program error
High 7,8
3219164 [CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC)
Priority: Correction with medium priority
Released on: 13.09.2022
Components: EP-KM-FWK-CF
Category: Program error
Medium 6,1
3217303 [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC)
Priority: Correction with high priority
Released on: 13.09.2022
Components: BI-BIP-SRV
Category: Program error
High 7,7
3159736 [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix
Priority: Correction with medium priority
Released on: 13.09.2022
Components: BC-CCM-MON-OS
Category: Program error
Medium 6,7
3198137 Update 1 to Security Note 3165333 - [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
Priority: Correction with medium priority
Released on: 13.09.2022
Components: BC-MID-ICF
Category: Program error
Medium 4,7
3126968 Information Disclosure vulnerability in SAP CRM WebClient
Priority: Correction with medium priority
Released on: 13.09.2022
Components: CA-WUI-UI-TAG
Category: Program error
Medium 4,3
2998510 [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update
Priority: Correction with high priority
Released on: 10.05.2022
Components: BI-BIP-INS
Category: Program error
High 7,8
3237075 [CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management
Priority: Correction with high priority
Released on: 13.09.2022
Components: GRC-SAC-EAM
Category: Program error
High 7,1
3229820 [CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad)
Priority: Correction with medium priority
Released on: 13.09.2022
Components: BC-FES-WGU
Category: Program error
Medium 6,1
3226411 [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS)
Priority: Correction with high priority
Released on: 26.07.2022
Components: LOD-SF-EC
Category: Program error
High 8,1
2634023 Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN
Priority: Correction with medium priority
Released on: 13.09.2022
Components: QM-QN
Category: Program error
Medium 6,3
3218177 [CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP
Priority: Correction with medium priority
Released on: 13.09.2022
Components: BC-FES-WGU
Category: Program error
Medium 5,4
3165333 [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
Priority: Correction with medium priority
Released on: 12.04.2022
Components: BC-MID-ICF
Category: Program error
Medium 4,7
3150454 Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BC-MID-RFC
Category: Program error
Medium 4,9

Posted by

Christoph Nagy
Share on linkedin
Share on twitter
Share on email
Find recent Security Advisories for SAP©
Download the White Paper “YOUR ROAD TO SAP SECURITY” to learn about the major milestones towards increasing the cybersecurity posture of your SAP systems.

Webinar: Why is SAP Security Patching not like Windows Updates?

The webinar, taking place on 05.10.2022, is all about SAP Patch Management and its challenges. The German-speaking SAP User Group (DSAG) and the American colleagues of ASUG asked why SAP security patching cannot be as simple and effective as, for example, Windows updates.
S/4HANA migration
SAP Cybersecurity- SAP Security Automation- Security News
“There are a few constants in life” – a statement that also applies to the SAP user community. It has always been a challenge for SAP customers to bring their large SAP environments to a current release level. Although the vendor has done a lot in the past to simplify this, it is still not a complex undertaking.
SecurityBridge
Here at SecurityBridge, we are extremely lucky to have a team full of amazing professionals. Thanks to our team, we have achieved extraordinary things in the past couple of years. With that in mind, we thought it was time for us to start introducing you to the team that drives everything behind the scenes. And we couldn't have chosen a better example to start with than our very own, Harish Dahima! Read on and learn all about Harish's life as a Senior Product Developer, his role, and life at SecurityBridge.
SAP Cloud Connector
SAP Cloud Security- SAP Cybersecurity- Security News
Every organization constantly faces the challenge of minimizing the attack surface that an adversary could use to perform malicious operations. To do this, administrators must install the deployed components and understand them in detail to identify risks and proactively mitigate or prevent those. Today we are looking at what is necessary to protect the SAP Cloud Connector.
SAP Cycling event
Life at SecurityBridge- Partner News- Security News
It was John F. Kennedy who once said: “nothing compares to the simple pleasure of a bike ride”. And what a pleasure it has been! We had our annual bike ride with friends from Accenture, Deloitte, CGI, McCoy, Thales, KPN, Hunt &Hacket, and security leaders from major customers. We had a lot of opportunities for exchange in the cozy atmosphere among like-minded people who all love road cycling and have SAP Security improvement in mind.