Skip to content

SAP Security Patch Day – July 2022

SAP security Patch day

Tuesday 12th July 2022 is yet another SAP Security Patch Day. The SAP Response Team releases corrections and instructions to address vulnerabilities across the SAP SE product portfolio. This patching Tuesday SAP released 22 security updates. The complete list with direct links to the SAP Support Portal can be found below.

SAP Security Patches June 2022

A quick glance at the July list shows that no SAP vulnerabilities were fixed that are considered Hot News. In SAP parlance, “Hot News” is used for all fixes that have a CVSS between 9.1 and 10. That’s good news for now!

Nevertheless, we can’t avoid taking a closer look at the publications. By the way, all SAP customers should do this, even if it requires some time and expert knowledge month after month. In July, we see 4 advisories with severity level High, 17 with severity Medium and one classified as a Low severity – summing up to total of 19 corrections, which awaited our review.

Highlights

Today we can start with what we do not find. Namely, we miss our old acquaintance the security updates in the Google Chromium Engine of the SAP Business Client, which was always rated with CVSS 10. Especially customers using the products SAP NetWeaver Enterprise Portal and SAP BusinessObjects should pay attention to this SAP Security Patch Day, because most of the fixes are related to these SAP products.

SAP NetWeaver Enterprise Portal

SAP NetWeaver Portal also known as Enterprise Portal (EP) is one of the components of the NetWeaver architecture. The on-premise SAP portal solution offers a single point of access to SAP information sources inside your organization. The Enterprise Portal can be accessed from desktops and from mobile devices such as smartphones or tablets.

We count a total of 6 security corrections that deal with Cross-Site Scripting (XSS) vulnerabilities in SAP NetWeaver Enterprise Portal. Since this solution communicates not only internally, but also in unprotected networks, we strongly recommend you check the fixes that have been rated with CVSS 6.1. Not necessary to emphasize that the public accessible SAP NetWeaver Enterprise Portal must be prioritized. Threat actors can find such SAP instances using a simple Goolge-Search query “inurl:/irj/portal” as described on the Exploit-Database page.

SAP BusinessObjects

Business Objects was purchased by SAP in 2007.  SAP BO is often used to create high level reports based on the interaction (Interactive reports) generated by using dashboards and score cards. Typically, the report data is sourced from SAP Business Warehouse (BW).

Again, we count 6 fixes that revolve around SAP BusinessObjects (BO). Among them also the one with the highest severity (8.3), SNote 3221288: Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console). For the most part, “information disclosure” vulnerabilities are corrected. But what does information disclosure mean?

Information disclosure, also known as information leakage, occurs when an application or website unintentionally discloses sensitive information to its users. Depending on the context, especially enterprise critical SAP applications can disclose all sorts of information to a potential attacker, including

  • Data about users and business partners including financial information
  • Sensitive commercial data and trade secrets
  • but also technical details about the application or infrastructure.

Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.

Summary by Severity

The July release contains a total of 22 patches for the following severities:

Severity Number
Hot News
0
High
4
Medium
17
Low
1
Note Description Severity CVSS
3220746 [CVE-2022-35171] Improper Input Validation in SAP 3D Visual Enterprise Viewer
Priority: Correction with low priority
Released on: 12.07.2022
Components: CA-VE-VEV
Category: Program error
Low 3,3
3216161 [CVE-2022-32248] Missing Input Validation in Manage Checkbooks component of SAP S/4HANA
Priority: Correction with medium priority
Released on: 12.07.2022
Components: FI-FIO-AP
Category: Program error
Medium 4,3
3213826 [CVE-2022-31597] Missing Authorization check in SAP S/4HANA(business partner extension for Spain/Slovakia)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: FI-LOC-FI-ES
Category: Correction of legal function
Medium 5,4
3212997 [CVE-2022-32249] Information Disclosure vulnerability in SAP Business One
Priority: Correction with high priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
High 7,6
3211760 [CVE-2022-35227] Cross-Site Scripting (XSS) vulnerability in SAP NW EP WPC
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-WPC
Category: Program error
Medium 6,1
3211203 [CVE-2022-35168] Denial of Service vulnerability in SAP Business One
Priority: Correction with medium priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
Medium 4,3
3210779 [CVE-2022-35224] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-GPA
Category: Program error
Medium 6,1
3209557 [CVE-2022-32247] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-TOL
Category: Program error
Medium 6,1
3208880 [CVE-2022-35225] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-PRT
Category: Program error
Medium 6,1
3208819 [CVE-2022-35170] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-AI
Category: Program error
Medium 6,1
3207902 [CVE-2022-35172] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
Priority: Correction with medium priority
Released on: 12.07.2022
Components: EP-PIN-URL
Category: Program error
Medium 6,1
3157613 [CVE-2022-28771] Missing Authentication check in SAP Business One (License service API)
Priority: Correction with high priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
High 7,5
3196280 [CVE-2022-31592] Missing Authorization check in EA-DFPS
Priority: Correction with medium priority
Released on: 12.07.2022
Components: IS-DFS-MM
Category: Program error
Medium 4,3
3191012 [CVE-2022-31593] Code Injection vulnerability in SAP Business One
Priority: Correction with high priority
Released on: 12.07.2022
Components: SBO-CRO-SEC
Category: Program error
High 7,4
3169239 [CVE-2022-29619] Information Disclosure to user Administrator in SAP BusinessObjects Business Intelligence Platform 4.x
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-ADM
Category: Program error
Medium 6,5
3167430 [CVE-2022-31591] Privilege Escalation vulnerability in SAP BusinessObjects (BW Publisher Service)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-IK-PAR-SAP
Category: Program error
Medium 5,6
3221288 [CVE-2022-35228] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)
Priority: Correction with high priority
Released on: 12.07.2022
Components: BI-BIP-CMC
Category: Program error
High 8,3
3213279 [CVE-2022-31598] Cross-Site Scripting (XSS) vulnerability in SAP Business Objects
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-CMC
Category: Program error
Medium 5,4
3203079 [CVE-2022-32246] SQL Injection vulnerability in SAP BusinessObjects Business Intelligence Platform (Visual Difference Application)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-VD
Category: Program error
Medium 5,4
3194361 [CVE-2022-35169] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (LCM)
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BI-BIP-SRV
Category: Program error
Medium 6,0
3150454 Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BC-MID-RFC
Category: Program error
Medium 4,9
3150463 Information Disclosure vulnerability in ABAP Platform
Priority: Correction with medium priority
Released on: 12.07.2022
Components: BC-MID-RFC
Category: Program error
Medium 4,9

Posted by

Christoph Nagy
Find recent Security Advisories for SAP©
Download the White Paper “Bridging the Gap – How SecurityBridge Supports NIST CSF in SAP Environments”. Learn how choosing the right tool can significantly shorten the journey of NIST CSF adoption and improve the security posture of SAP environments.

Webcast – Protect your SAP from Ransomware Attacks

We cordially invite you to participate in our webcast on April 10th at 14:30 CET. This exclusive event is a joint initiative of SecurityBridge in cooperation with BowBridge and Log2 and will allow you to listen to exciting insights from top-class experts.
Sales & Partner Manager APAC Singapore
We are expanding our operation in the APAC region and are looking for an experienced Sales & Partner Manager to join our team in Singapore. The ideal candidate will have at least 5 years of experience in sales, with a focus on software sales, SAP security, or cybersecurity.
Pre-Sales Consultant APAC Singapore
As a Pre-Sales Consultant at SecurityBridge, you will be instrumental in our rapid expansion within the APAC region. You will directly contribute to the growth of our innovative SAP security solution, SecurityBridge.