SAP Security Patch Day – December 2022
Today, December 13rd, 2022, is another day for SAP to release security updates for its wide-ranging product portfolio. The enterprise applications from Walldorf help companies to carry out their critical business transactions. This makes it all the more important to keep these software components continuously up-to-date. In any case, customers must try to promptly implement security-relevant updates and thereby comply with any legal requirements.
If you’ve ever wondered why SAP patching doesn’t work as easily as Windows updates, you should definitely watch our recorded webinar. In the recording you will learn how our customer Lonza, successfully deploys the SecurityBridge solution and SecurityBridge CTO, Ivan Mans, shows the patch management solution all SAP customers want.
SAP Security Patches December 2022
Today SAP released 14 new SAP security updates, as well as 4 updates from previous releases. The patch day in December stands out because again 4 SAP patches have been released with the priority Hot News. In addition, there are another 5 patches with the priority High. So unfortunately everything else than a contemplative pre-Christmas period for those responsible for SAP patching. Many will probably have looked forward to a quiet pre-Christmas period. Now memories of the past Christmas of 2021 come up, where Log4j2 kept the teams on their toes. However, it’s not quite that bad in comparison to last year, the patches are available and just need to be applied.
At 3273480 comes another note with priority Hot News that fixes a vulnerability in SAP Process Integration. The associated CVE is CVE-2022-41272. Due to insufficient authentication, an attacker with network access may be able to exploit a user-defined search (UDS). It is also noted that there is no workaround, however SAP points out that specific prerequisites must be met in order for the attack to be successful.
An Apache component allows remote code execution in SAP Commerce. This vulnerability is fixed in note 3271523. Again, this correction has been given a priority rating of 9.8, i.e., Hot News. SAP Commerce uses a version of the open source java library Apache Commons Text that contains a flaw with CVE-2022-42889. In this case SAP points to a workaround.
The last of our four hot news releases today is advisory 3267780, which also resolves a vulnerability in SAP process Integration. An unauthenticated attacker can connect to an open interface to perform unauthorized operations. The vulnerability is listed as CVE-2022-41271. The vulnerability is fixed via a support package, which is filed in the Security Note. For more information, see also the Knowledge Base article number 3271729.
Summary by Severity
The December release contains a total of 17 patches for the following severities: