Skip to content

SAP Security Patch Day – December 2022

SAP security Patch day

Today, December 13rd, 2022, is another day for SAP to release security updates for its wide-ranging product portfolio. The enterprise applications from Walldorf help companies to carry out their critical business transactions. This makes it all the more important to keep these software components continuously up-to-date. In any case, customers must try to promptly implement security-relevant updates and thereby comply with any legal requirements.

If you’ve ever wondered why SAP patching doesn’t work as easily as Windows updates, you should definitely watch our recorded webinar. In the recording you will learn how our customer Lonza, successfully deploys the SecurityBridge solution and SecurityBridge CTO, Ivan Mans, shows the patch management solution all SAP customers want.

 

SAP Security Patches December 2022

Today SAP released 14 new SAP security updates, as well as 4 updates from previous releases. The patch day in December stands out because again 4 SAP patches have been released with the priority Hot News. In addition, there are another 5 patches with the priority High. So unfortunately everything else than a contemplative pre-Christmas period for those responsible for SAP patching. Many will probably have looked forward to a quiet pre-Christmas period. Now memories of the past Christmas of 2021 come up, where Log4j2 kept the teams on their toes. However, it’s not quite that bad in comparison to last year, the patches are available and just need to be applied.

Note 3239475 listed as CVE-2022-41267 resolves a vulnerability in the SAP Business Object Platform. No workarounds are known so far. The correction is done by installing a support package.

At 3273480 comes another note with priority Hot News that fixes a vulnerability in SAP Process Integration. The associated CVE is CVE-2022-41272. Due to insufficient authentication, an attacker with network access may be able to exploit a user-defined search (UDS). It is also noted that there is no workaround, however SAP points out that specific prerequisites must be met in order for the attack to be successful.

An Apache component allows remote code execution in SAP Commerce. This vulnerability is fixed in note 3271523. Again, this correction has been given a priority rating of 9.8, i.e., Hot News. SAP Commerce uses a version of the open source java library Apache Commons Text that contains a flaw with CVE-2022-42889. In this case SAP points to a workaround.

The last of our four hot news releases today is advisory 3267780, which also resolves a vulnerability in SAP process Integration. An unauthenticated attacker can connect to an open interface to perform unauthorized operations. The vulnerability is listed as CVE-2022-41271. The vulnerability is fixed via a support package, which is filed in the Security Note. For more information, see also the Knowledge Base article number 3271729.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The December release contains a total of 17 patches for the following severities:

Severity Number
Hot News
4
High
4
Medium
9
Note Description Severity CVSS
3265173 [CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: SV-SMG-DIA-SRV-AGT
Category: Program error
Medium 6,0
3258950 Update 1 to Security Note 2872782 - [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP (BSP Test Application)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-BSP
Category: Program error
Medium 6,1
3267780 [CVE-2022-41271] Improper access control in SAP NetWeaver Process Integration (Messaging System)
Priority: HotNews
Released on: 13.12.2022
Components: BC-XI-CON-MSG
Category: Program error
Hot News 9,4
3271313 [CVE-2022-41275] Offener Redirect in SAP Solutions Manager (Enterprise Search)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-EIM-ESH
Category: Program error
Medium 6,1
3239475 [CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform
Priority: HotNews
Released on: 13.12.2022
Components: BI-BIP-SRV
Category: Program error
Hot News 9,9
3266846 [CVE-2022-41274] Missing Authorization Checks in SAP Disclosure Management
Priority: Correction with medium priority
Released on: 13.12.2022
Components: EPM-DSM-GEN
Category: Program error
Medium 6,5
3262544 [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BC-JAS-WEB
Category: Program error
Medium 6,1
3273480 [CVE-2022-41272] Improper access control in SAP NetWeaver Process Integration (User Defined Search)
Priority: HotNews
Released on: 13.12.2022
Components: BC-XI-CON-UDS
Category: Program error
Hot News 9,9
3248255 [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce
Priority: Correction with high priority
Released on: 13.12.2022
Components: CEC-COM-CPS
Category: Program error
High 8,0
3249648 [CVE-2022-41263] Missing authentication check vulnerability in SAP Business Objects Business Intelligence Platform (Web intelligence)
Priority: Correction with medium priority
Released on: 13.12.2022
Components: BI-RA-WBI
Category: Program error
Medium 4,3
3271523 Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce
Priority: HotNews
Released on: 13.12.2022
Components: CEC-COM-CPS-COR
Category: Program error
Hot News 9,8
3271091 [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation
Priority: Correction with high priority
Released on: 13.12.2022
Components: EPM-BPC-NW
Category: Program error
High 8,5
3268172 [CVE-2022-41264] Code Injection vulnerability in SAP BASIS
Priority: Correction with high priority
Released on: 13.12.2022
Components: BC-DB-HDB-POR
Category: Program error
High 8,8
3270399 [CVE-2022-41273] URL Redirection vulnerability in SAP Sourcing and SAP Contract Lifecycle Management
Priority: Correction with medium priority
Released on: 13.12.2022
Components: SRM-ESO-SEC
Category: Program error
Medium 4,3
2872782 [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP – Business Server Pages Test Application IT00
Priority: Correction with medium priority
Released on: 14.04.2020
Components: BC-BSP
Category: Program error
Medium 6,1
3234755 Information Disclosure vulnerability in Master Data Governance
Priority: Correction with medium priority
Released on: 11.10.2022
Components: CA-MDG-APP-CUS
Category: Program error
Medium 4,3
3229132 [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects)
Priority: Correction with high priority
Released on: 11.10.2022
Components: BI-BIP-ADM
Category: Program error
High 8,2

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

SAP Security Customer Event 2024 – Hosted by SecurityBridge, Accenture & bowbridge

The premier SAP Security Customer event is back and better than ever. We’re thrilled to invite you to our ‘Secure Together’ event, set against the breathtaking backdrop of the Euromast in Rotterdam, the Netherlands.
hacking
In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher”. This particular type of vulnerability is not common in SAP systems and therefore interesting to look at. As patching the SAP kernel executables is often not done promptly, we can expect this vulnerability present in the customer’s systems for quite some time.
code pc
In one of our recent articles, we pointed out the use of Access Control Lists (ACLs) to better manage access control. Below, we will show a practical example of how this can be done for inbound HTTP communication with the ‘Internet Communication Manager’ (ICM) component of an SAP system.
SAP Security Patch Tuesday 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes.