SAP Security Patch Day – July 2022
Tuesday 12th July 2022 is yet another SAP Security Patch Day. The SAP Response Team releases corrections and instructions to address vulnerabilities across the SAP SE product portfolio. This patching Tuesday SAP released 22 security updates. The complete list with direct links to the SAP Support Portal can be found below.
SAP Security Patches June 2022
A quick glance at the July list shows that no SAP vulnerabilities were fixed that are considered Hot News. In SAP parlance, “Hot News” is used for all fixes that have a CVSS between 9.1 and 10. That’s good news for now!
Nevertheless, we can’t avoid taking a closer look at the publications. By the way, all SAP customers should do this, even if it requires some time and expert knowledge month after month. In July, we see 4 advisories with severity level High, 17 with severity Medium and one classified as a Low severity – summing up to total of 19 corrections, which awaited our review.
Today we can start with what we do not find. Namely, we miss our old acquaintance the security updates in the Google Chromium Engine of the SAP Business Client, which was always rated with CVSS 10. Especially customers using the products SAP NetWeaver Enterprise Portal and SAP BusinessObjects should pay attention to this SAP Security Patch Day, because most of the fixes are related to these SAP products.
SAP NetWeaver Enterprise Portal
SAP NetWeaver Portal also known as Enterprise Portal (EP) is one of the components of the NetWeaver architecture. The on-premise SAP portal solution offers a single point of access to SAP information sources inside your organization. The Enterprise Portal can be accessed from desktops and from mobile devices such as smartphones or tablets.
We count a total of 6 security corrections that deal with Cross-Site Scripting (XSS) vulnerabilities in SAP NetWeaver Enterprise Portal. Since this solution communicates not only internally, but also in unprotected networks, we strongly recommend you check the fixes that have been rated with CVSS 6.1. Not necessary to emphasize that the public accessible SAP NetWeaver Enterprise Portal must be prioritized. Threat actors can find such SAP instances using a simple Goolge-Search query “inurl:/irj/portal” as described on the Exploit-Database page.
Business Objects was purchased by SAP in 2007. SAP BO is often used to create high level reports based on the interaction (Interactive reports) generated by using dashboards and score cards. Typically, the report data is sourced from SAP Business Warehouse (BW).
Again, we count 6 fixes that revolve around SAP BusinessObjects (BO). Among them also the one with the highest severity (8.3), SNote 3221288: Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console). For the most part, “information disclosure” vulnerabilities are corrected. But what does information disclosure mean?
Information disclosure, also known as information leakage, occurs when an application or website unintentionally discloses sensitive information to its users. Depending on the context, especially enterprise critical SAP applications can disclose all sorts of information to a potential attacker, including
- Data about users and business partners including financial information
- Sensitive commercial data and trade secrets
- but also technical details about the application or infrastructure.
Summary by Severity
The July release contains a total of 22 patches for the following severities: