SAP releases April 2022 security updates
On April of 12th, SAP released 23 new security notes. Further, there were 10 updates to previously published Patch Day security notes. SAP released four security notes related to CVE-2022-22965, all rated as Hot News.
Tracked as CVE-2022-22965, the vulnerability dubbed Spring4Shell, affects Spring, the world’s most popular Java application development framework, and could lead to remote code execution. SAP has released Central Note 3170990, which summarizes all the results of the vulnerability in enterprise-critical SAP applications.
Along with several updates, some new vulnerabilities were discovered and fixed in SAP Web Dispatcher and Internet Communication Manager that existed in SAP NetWeaver ABAP/JAVA.
The rest are updates to the March 2021 security note. They address a code injection vulnerability in Manufacturing Integration and Intelligence (CVE-2021-21480).
SAP spied on employees
Service sector union Ver.di has unveiled an internal data breach at SAP. The leak affects the “SAP Interactive Broadcast” online service, which was developed internally. It is only accessible to SAP employees and is used for employee and works council meetings. The service also offered anonymous voting features.
However, according to the Ver.di group, the identity of the voter can be clearly identified. In addition, all information was automatically downloaded to all computers participating in meetings, and thus available to all workers.
“Traceability was trivial to establish. An experienced programmer could spot the error at first glance,” states Andreas Hahn, a member of the Ver.di works council.
SAP quickly halted traceability after Ver.di’s internal working group reported it to the internal cybersecurity department.