Skip to content

SAP Security Patch Day – January 2022

SAP security Patch day

On January 11, 2022, we celebrate the first SAP Security Patch Day of the year. We wish all those responsible for securing SAP a good and secure start in 2022. Unfortunately, the new year begins as the old year ended, with even more SAP vulnerabilities.

Log4j - Still a major concern?

Yesterday SAP published consolidated January patches, same as every 2nd Tuesday of a month. After the Log4j vulnerability, which also went by the name Log4Shell, most companies have been on tenterhooks. SAP has been publishing a collective advisory note, 3131047, titled “Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component”. It combines all fixes and recommendations in one central location. This is not only a very convenient approach for customers, it also highlights how far-reaching the impact of the vulnerability is, also for SAP customers.

Note 3131047 now contains 20 additional correction instructions and references 19 notes describing a possible workaround. We have been following the releases and updates in details. With SecurityBridge Patch Management our customers have an optimal solution at hand to be informed promptly about the release and the relevance of a security fix.

If you follow our blog regularly, you will already know that we run a dedicated Log4j Newsticker.

The severity and danger posed by the Log4j 2 vulnerability should not be underestimated. Especially when exploitation guidance is published, an existing vulnerability becomes a major threat. After Log4j denied the security team and SAP experts enjoying a quiet holiday season, most of the fixes and mitigations actions should already be implemented. If you need help with this or need to pull in additional SAP expert advice, feel free to contact us.

Highlights (other than Log4j)

Unfortunately, the January SAP Patch Day not only deals with Log4j vulnerabilities . Besides collective note 3131047, 8 more security notes have been published. You should now also check these to understand if there is any relevance for your SAP system landscape.

(SNote 3112928) All customers using S4/HANA and the Create Single Payment application should take a look at this fix. Due to the vulnerability, it cannot be ensured that uploaded files are sufficiently checked and thus the possibility for attackers to possibly even introduce ransomware could arise.

(SNote 3123196) This correction updates a note previously published in December. We strongly recommend that you update the affected systems to prevent code from being injected.

(SNote 3124597) A medium rating is given for a vulnerability in SAP’s own Enterprise Threat Detection Product, that allows the attacker to make malicious entries using cross-site scripting.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The January release contains a total of 9 patches for the following severities:

Hot News
3131047[CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 componentConsolidated Security Note list  (Product: Security Note #)SAP Customer Checkout: 3133772 SAP BTP Cloud Foundry: 3130578SAP Landscape Management: 3132198SAP Connected Health Platform 2.0 - Fhirserver: 3131824SAP HANA XS Advanced Cockpit : 3134531 (includes fix provided in 3131397, 3132822)SAP NetWeaver Process Integration (Java Web Service Adapter) : 3135581 (includes fix provided in 3132204, 3130521, 3133005)SAP HANA XS Advanced : 3131258Internet of Things Edge Platform : 3132922SAP BTP Kyma : 3132744SAP Enable Now Manager : 3132964SAP Cloud for Customer (add-in for Lotus notes client) : 3132074SAP Localization Hub, digital compliance service for India : 3132177SAP Edge Services On Premise Edition : 3132909SAP Edge Services Cloud Edition : 3132515SAP BTP API Management (Tenant Cloning Tool) : 3132162SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0) : 3131691SAP Digital Manufacturing Cloud for Edge Computing : 3136094SAP Enterprise Continuous Testing by Tricentis :  3134139SAP Cloud-to-Cloud Interoperability : 3132058Reference Template for enabling ingestion and persistence of time series data in Azure : 3136988SAP Business One : 3131740
Hot News
3112928[CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANAAdditional CVE - CVE-2022-22530
Product - SAP S/4HANA, Versions - 100, 101, 102, 103, 104, 105, 106
3123196Update to Security Note released on December 2021 Patch Day:[CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP
Product - SAP NetWeaver AS ABAP, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
3101299[CVE-2021-42066] Information Disclosure vulnerability in SAP Business One
Product - SAP Business One, Version - 10
3106528[CVE-2021-44234] Information Disclosure vulnerability in SAP Business One
Product - SAP Business One, Version - 10
3124597[CVE-2022-22529] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection
Product - SAP Enterprise Threat Detection, Version - 2.0
3112710[CVE-2022-42067] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786
3121165Update to Security Note released on December 2021 Patch Day:[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise ViewerCVEs - CVE-2021-42068,CVE-2021-42070, CVE-2021-42069, CVE-2021-42069
Product - SAP 3D Visual Enterprise Viewer, Version - 9
3080816Update to Security Note released on December 2021 Patch Day:[CVE-2021-44233] Missing Authorization check in GRC Access Control
Product - SAP GRC Access Control, Versions - V1100_700, V1100_731, V1200_750


Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

Security Automation: The Need for a Last Line of Defense

Join our upcoming webinar session on Security Automation with special guests from SecurityBridge and discover how you can automate your SAP security and compliance processes to improve your security posture and implement a last line of defence for your mission-critical SAP landscape.
Senior SAP Developer Singapore
As a Senior SAP Developer, you will be responsible for designing, developing, and maintaining SAP solutions while leading and guiding a team of developers. You will play a crucial role in the development of standard products, and your technical expertise and communication skills will be instrumental in ensuring the success of our projects. This role demands strong leadership, technical acumen, and the ability to collaborate effectively in an international development team.
Earlier this year, IBM presented its 18th edition of ‘The Cost of a Data Breach Report’ (you can find it here). This publication provides detailed and valuable insights into various factors related to data breaches. It is based on research carried out at 553 impacted organizations - any IT security professional should check it out. In this article, we will highlight some of this report’s findings and bring them into the context of SAP security.
We're hiring a financial controller/analyst
As a Controller/Financial Analyst at SecurityBridge, you will play a crucial role in managing and optimizing financial processes, ensuring accurate reporting, and providing strategic financial insights. This is an exciting opportunity for a detail-oriented professional to contribute to the financial success of the fastest-growing cybersecurity provider for SAP systems.