Skip to content

SAP Security Patch Day – January 2022

SAP security Patch day

On January 11, 2022, we celebrate the first SAP Security Patch Day of the year. We wish all those responsible for securing SAP a good and secure start in 2022. Unfortunately, the new year begins as the old year ended, with even more SAP vulnerabilities.

Log4j - Still a major concern?

Yesterday SAP published consolidated January patches, same as every 2nd Tuesday of a month. After the Log4j vulnerability, which also went by the name Log4Shell, most companies have been on tenterhooks. SAP has been publishing a collective advisory note, 3131047, titled “Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component”. It combines all fixes and recommendations in one central location. This is not only a very convenient approach for customers, it also highlights how far-reaching the impact of the vulnerability is, also for SAP customers.

Note 3131047 now contains 20 additional correction instructions and references 19 notes describing a possible workaround. We have been following the releases and updates in details. With SecurityBridge Patch Management our customers have an optimal solution at hand to be informed promptly about the release and the relevance of a security fix.

If you follow our blog regularly, you will already know that we run a dedicated Log4j Newsticker.

The severity and danger posed by the Log4j 2 vulnerability should not be underestimated. Especially when exploitation guidance is published, an existing vulnerability becomes a major threat. After Log4j denied the security team and SAP experts enjoying a quiet holiday season, most of the fixes and mitigations actions should already be implemented. If you need help with this or need to pull in additional SAP expert advice, feel free to contact us.

Highlights (other than Log4j)

Unfortunately, the January SAP Patch Day not only deals with Log4j vulnerabilities . Besides collective note 3131047, 8 more security notes have been published. You should now also check these to understand if there is any relevance for your SAP system landscape.

(SNote 3112928) All customers using S4/HANA and the Create Single Payment application should take a look at this fix. Due to the vulnerability, it cannot be ensured that uploaded files are sufficiently checked and thus the possibility for attackers to possibly even introduce ransomware could arise.

(SNote 3123196) This correction updates a note previously published in December. We strongly recommend that you update the affected systems to prevent code from being injected.

(SNote 3124597) A medium rating is given for a vulnerability in SAP’s own Enterprise Threat Detection Product, that allows the attacker to make malicious entries using cross-site scripting.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The January release contains a total of 9 patches for the following severities:

Severity Number
Hot News
1
High
2
Medium
5
Low
5
Note Description Severity CVSS
3131047 [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 componentConsolidated Security Note list  (Product: Security Note #)SAP Customer Checkout: 3133772 SAP BTP Cloud Foundry: 3130578SAP Landscape Management: 3132198SAP Connected Health Platform 2.0 - Fhirserver: 3131824SAP HANA XS Advanced Cockpit : 3134531 (includes fix provided in 3131397, 3132822)SAP NetWeaver Process Integration (Java Web Service Adapter) : 3135581 (includes fix provided in 3132204, 3130521, 3133005)SAP HANA XS Advanced : 3131258Internet of Things Edge Platform : 3132922SAP BTP Kyma : 3132744SAP Enable Now Manager : 3132964SAP Cloud for Customer (add-in for Lotus notes client) : 3132074SAP Localization Hub, digital compliance service for India : 3132177SAP Edge Services On Premise Edition : 3132909SAP Edge Services Cloud Edition : 3132515SAP BTP API Management (Tenant Cloning Tool) : 3132162SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0) : 3131691SAP Digital Manufacturing Cloud for Edge Computing : 3136094SAP Enterprise Continuous Testing by Tricentis :  3134139SAP Cloud-to-Cloud Interoperability : 3132058Reference Template for enabling ingestion and persistence of time series data in Azure : 3136988SAP Business One : 3131740
Hot News
10
3112928 [CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANAAdditional CVE - CVE-2022-22530
Product - SAP S/4HANA, Versions - 100, 101, 102, 103, 104, 105, 106
High
8.7
3123196 Update to Security Note released on December 2021 Patch Day:[CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP
Product - SAP NetWeaver AS ABAP, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
High
8.4
3101299 [CVE-2021-42066] Information Disclosure vulnerability in SAP Business One
Product - SAP Business One, Version - 10
Medium
6.6
3106528 [CVE-2021-44234] Information Disclosure vulnerability in SAP Business One
Product - SAP Business One, Version - 10
Medium
6.5
3124597 [CVE-2022-22529] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection
Product - SAP Enterprise Threat Detection, Version - 2.0
Medium
6.1
3112710 [CVE-2022-42067] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
Product - SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786
Medium
4.3
3121165 Update to Security Note released on December 2021 Patch Day:[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise ViewerCVEs - CVE-2021-42068,CVE-2021-42070, CVE-2021-42069, CVE-2021-42069
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium
4.3
3080816 Update to Security Note released on December 2021 Patch Day:[CVE-2021-44233] Missing Authorization check in GRC Access Control
Product - SAP GRC Access Control, Versions - V1100_700, V1100_731, V1200_750
Low
2.4

Source

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

SAP Security Customer Event 2024 – Hosted by SecurityBridge, Accenture & bowbridge

The premier SAP Security Customer event is back and better than ever. We’re thrilled to invite you to our ‘Secure Together’ event, set against the breathtaking backdrop of the Euromast in Rotterdam, the Netherlands.
hacking
In SAP’s patch round of February 2022, an SAP Security Note was released with a CVSS score of 10/10 named, “Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher”. This particular type of vulnerability is not common in SAP systems and therefore interesting to look at. As patching the SAP kernel executables is often not done promptly, we can expect this vulnerability present in the customer’s systems for quite some time.
code pc
In one of our recent articles, we pointed out the use of Access Control Lists (ACLs) to better manage access control. Below, we will show a practical example of how this can be done for inbound HTTP communication with the ‘Internet Communication Manager’ (ICM) component of an SAP system.
SAP Security Patch Tuesday 2024
For February 2024, 13 new Security Notes have been released and 3 have been updated. Lets look at some highlights, starting with the ‘HowNews’ notes.