SAP Security Patch Day – September 2022
Chapters
Share Article
September 13th, 2022 – This means another SAP Security Patch Day on the calendar of SAP customers. It may be a coincidence but today is also the Day of the Programmer. Everyone was waiting for the next patch day, especially because the August edition was moderate in comparison. Many expected the worst. However, it didn’t get quite that bad.
SAP Security Patches September 2022
Today’s SAP Security Patch Day September 2022 release contains 8 new security advisories and 5 updates which sums up to a total of 13, according to SAP’s counting method.
However, when we check the SAP Security Portal -like we all do- we find 14 notes.
At the same time, we noticed that the well-known and continuously updated note 2622660 for the Google Chromium engine in the SAP Business Client in the SAP Security Portal wasn’t assigned to today’s release date. Our theory is that the SAP experts forgot to update the “Released On” date in the portal at the time of publication.
All notes having a “First Released On” and a “Released On” date back up our theory. The first timestamp is assigned by SAP staff when the note sees the light of day. The latter one is updated whenever the note receives an update.
Unfortunately, the saying “Many roads lead to Rome” does not apply to SAP Security Notes because you get different results via the various paths. By the way, the correct result is 16 because 16 SAP security patches were released today. You can find the complete list in our article.
It is important to check and apply the correct notes or patches. If you overlook a security fix, you can put your company at unnecessary risk. In this article we explain how to use the SAP OneLaunchpad Expert search.
Use SecurityBridge Patch Management to never miss an important patch, applicable for your SAP products.
Summary by Severity
The September release contains a total of 16 patches for the following severities:
| Severity | Number |
|---|---|
|
Hot News
|
1 |
|
High
|
6 |
|
Medium
|
9 |
| Note | Description | Severity | CVSS |
|---|---|---|---|
| 2622660 | Update to Security Note released on April 2018 Patch Day:Security updates for the browser control Google Chromium delivered with SAP Business Client Priority: Hot News priority Released on: 23.08.2022 Components: BC-FES-BUS-DSK Category: Program error |
Hot News | 10,0 |
| 3102769 | Update to Security Note released on December 2021 Patch Day:[CVE-2021-42063]Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse Priority: Correction with high priority priority Released on: 23.08.2022 Components: KM-KW-HTA Category: Program error |
High | 8,8 |
| 3223392 | [CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One Priority: Correction with high priority Released on: 13.09.2022 Components: SBO-CRO-SEC Category: Program error |
High | 7,8 |
| 3219164 | [CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
(KMC) Priority: Correction with medium priority Released on: 13.09.2022 Components: EP-KM-FWK-CF Category: Program error |
Medium | 6,1 |
| 3217303 | [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform
(CMC) Priority: Correction with high priority Released on: 13.09.2022 Components: BI-BIP-SRV Category: Program error |
High | 7,7 |
| 3159736 | [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix Priority: Correction with medium priority Released on: 13.09.2022 Components: BC-CCM-MON-OS Category: Program error |
Medium | 6,7 |
| 3198137 | Update 1 to Security Note 3165333 - [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP
Server and ABAP Platform Priority: Correction with medium priority Released on: 13.09.2022 Components: BC-MID-ICF Category: Program error |
Medium | 4,7 |
| 3126968 | Information Disclosure vulnerability in SAP CRM WebClient Priority: Correction with medium priority Released on: 13.09.2022 Components: CA-WUI-UI-TAG Category: Program error |
Medium | 4,3 |
| 2998510 | [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence
Update Priority: Correction with high priority Released on: 10.05.2022 Components: BI-BIP-INS Category: Program error |
High | 7,8 |
| 3237075 | [CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access
Management Priority: Correction with high priority Released on: 13.09.2022 Components: GRC-SAC-EAM Category: Program error |
High | 7,1 |
| 3229820 | [CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within
the Fiori Launchpad) Priority: Correction with medium priority Released on: 13.09.2022 Components: BC-FES-WGU Category: Program error |
Medium | 6,1 |
| 3226411 | [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile
Application(Android & iOS) Priority: Correction with high priority Released on: 26.07.2022 Components: LOD-SF-EC Category: Program error |
High | 8,1 |
| 2634023 | Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN Priority: Correction with medium priority Released on: 13.09.2022 Components: QM-QN Category: Program error |
Medium | 6,3 |
| 3218177 | [CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server
ABAP Priority: Correction with medium priority Released on: 13.09.2022 Components: BC-FES-WGU Category: Program error |
Medium | 5,4 |
| 3165333 | [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform Priority: Correction with medium priority Released on: 12.04.2022 Components: BC-MID-ICF Category: Program error |
Medium | 4,7 |
| 3150454 | Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Priority: Correction with medium priority Released on: 12.07.2022 Components: BC-MID-RFC Category: Program error |
Medium | 4,9 |