Skip to content
Linkedin Twitter Facebook Xing
< Back to Overview

SAP Security Patch Day – December 2022

SAP security Patch day

Today, December 13rd, 2022, is another day for SAP to release security updates for its wide-ranging product portfolio. The enterprise applications from Walldorf help companies to carry out their critical business transactions. This makes it all the more important to keep these software components continuously up-to-date. In any case, customers must try to promptly implement security-relevant updates and thereby comply with any legal requirements.

If you’ve ever wondered why SAP patching doesn’t work as easily as Windows updates, you should definitely watch our recorded webinar. In the recording you will learn how our customer Lonza, successfully deploys the SecurityBridge solution and SecurityBridge CTO, Ivan Mans, shows the patch management solution all SAP customers want.

 

SAP Security Patches December 2022

Today SAP released 14 new SAP security updates, as well as 4 updates from previous releases. The patch day in December stands out because again 4 SAP patches have been released with the priority Hot News. In addition, there are another 5 patches with the priority High. So unfortunately everything else than a contemplative pre-Christmas period for those responsible for SAP patching. Many will probably have looked forward to a quiet pre-Christmas period. Now memories of the past Christmas of 2021 come up, where Log4j2 kept the teams on their toes. However, it’s not quite that bad in comparison to last year, the patches are available and just need to be applied.

Note 3239475 listed as CVE-2022-41267 resolves a vulnerability in the SAP Business Object Platform. No workarounds are known so far. The correction is done by installing a support package.

At 3273480 comes another note with priority Hot News that fixes a vulnerability in SAP Process Integration. The associated CVE is CVE-2022-41272. Due to insufficient authentication, an attacker with network access may be able to exploit a user-defined search (UDS). It is also noted that there is no workaround, however SAP points out that specific prerequisites must be met in order for the attack to be successful.

An Apache component allows remote code execution in SAP Commerce. This vulnerability is fixed in note 3271523. Again, this correction has been given a priority rating of 9.8, i.e., Hot News. SAP Commerce uses a version of the open source java library Apache Commons Text that contains a flaw with CVE-2022-42889. In this case SAP points to a workaround.

The last of our four hot news releases today is advisory 3267780, which also resolves a vulnerability in SAP process Integration. An unauthenticated attacker can connect to an open interface to perform unauthorized operations. The vulnerability is listed as CVE-2022-41271. The vulnerability is fixed via a support package, which is filed in the Security Note. For more information, see also the Knowledge Base article number 3271729.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Request a Demo

Summary by Severity

The December release contains a total of 17 patches for the following severities:

SeverityNumber
Hot News
4
High
4
Medium
9
NoteDescriptionSeverityCVSS
3265173[CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: SV-SMG-DIA-SRV-AGT
Category: Program error		Medium6,0
3258950Update 1 to Security Note 2872782 - [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP (BSP Test Application)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-BSP
Category: Program error		Medium6,1
3267780[CVE-2022-41271] Improper access control in SAP NetWeaver Process Integration (Messaging System)
Priority: HotNews
Released on: 13.12.2022
Components: BC-XI-CON-MSG
Category: Program error		Hot News9,4
3271313[CVE-2022-41275] Offener Redirect in SAP Solutions Manager (Enterprise Search)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-EIM-ESH
Category: Program error		Medium6,1
3239475[CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform
Priority: HotNews
Released on: 13.12.2022
Components: BI-BIP-SRV
Category: Program error		Hot News9,9
3266846[CVE-2022-41274] Missing Authorization Checks in SAP Disclosure Management
Priority: Correction with medium priority
Released on: 13.12.2022
Components: EPM-DSM-GEN
Category: Program error		Medium6,5
3262544[CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-JAS-WEB
Category: Program error		Medium6,1
3273480[CVE-2022-41272] Improper access control in SAP NetWeaver Process Integration (User Defined Search)
Priority: HotNews
Released on: 13.12.2022
Components: BC-XI-CON-UDS
Category: Program error		Hot News9,9
3248255[CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce
Priority: Correction with high priority
Released on: 13.12.2022
Components: CEC-COM-CPS
Category: Program error		High8,0
3249648[CVE-2022-41263] Missing authentication check vulnerability in SAP Business Objects Business Intelligence Platform (Web intelligence)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BI-RA-WBI
Category: Program error		Medium4,3
3271523Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce
Priority: HotNews
Released on: 13.12.2022
Components: CEC-COM-CPS-COR
Category: Program error		Hot News9,8
3271091[CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation
Priority: Correction with high priority
Released on: 13.12.2022
Components: EPM-BPC-NW
Category: Program error		High8,5
3268172[CVE-2022-41264] Code Injection vulnerability in SAP BASIS
Priority: Correction with high priority
Released on: 13.12.2022
Components: BC-DB-HDB-POR
Category: Program error		High8,8
3270399[CVE-2022-41273] URL Redirection vulnerability in SAP Sourcing and SAP Contract Lifecycle Management
Priority: Correction with medium priority
Released on: 13.12.2022
Components: SRM-ESO-SEC
Category: Program error		Medium4,3
2872782[CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP – Business Server Pages Test Application IT00
Priority: Correction with medium priority
Released on: 14.04.2020
Components: BC-BSP
Category: Program error		Medium6,1
3234755Information Disclosure vulnerability in Master Data Governance
Priority: Correction with medium priority
Released on: 11.10.2022
Components: CA-MDG-APP-CUS
Category: Program error		Medium4,3
3229132[CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects)
Priority: Correction with high priority
Released on: 11.10.2022
Components: BI-BIP-ADM
Category: Program error		High8,2

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
View Advisory for Nov'22
White Paper - Bridging the Gap How SecurityBridge Supports NIST CSF in SAP Environments
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.
Security Automation Webinar

Security Automation: The Need for a Last Line of Defense

Join our upcoming webinar session on Security Automation with special guests from SecurityBridge and discover how you can automate your SAP security and compliance processes to improve your security posture and implement a last line of defence for your mission-critical SAP landscape.
Learn more
Senior SAP Developer Singapore

Senior SAP Developer (ABAP/4 and SAPUI5 Fiori) – Singapore

Careers
As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.

Countering Data Breaches – An Urgent Call for Action

SAP Cybersecurity
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
We're hiring a financial controller/analyst

Financial Controller

Careers
As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.