SAP News Overview for January 2022 – Financial results for 2021, Security updates, Critical vulnerability affected supply chain
Critical SAP Vulnerability Allows Supply Chain Attacks
A critical vulnerability was discovered in SAP NetWeaver AS ABAP and ABAP Platform that could be used by attackers to launch supply chain attacks. The developers have already eliminated the released patch.
The issue was assigned the ID CVE-2021-38178 and 9.1 points on the CVSS scale. Experts believe the root of the vulnerability is incorrect authorization, which allows attackers to interfere with transport requests. The fact is that standard SAP deployments include a program that allows employees with a certain level of authorization to change the header attributes in SAP transport requests.
That is why a cybercriminal or an insider with the appropriate rights can change the status of requests from “Released” to “Modifiable”. Moreover, an attacker can add a payload to run after import into the target system, which opens up the possibility of supply chain attacks.
CVE-2021-38178 affects all SAP environments where the same transport directory is used at different levels. Organizations are encouraged to install the released patches.
SAP releases January 2022 security updates
On January 12, SAP released the first security updates for 2022, including fixes for other applications affected by the Log4Shell vulnerability. Last month, after discovering 32 applications using the vulnerable Apache Log4j library, the company released patches for 20 of them. In January 2022 SAP published a security note that summarizes all security notes issued for Log4Shell. A total of 26 such notes were released to date, fixing a security bug in 21 applications.
SAP announced a total of 11 new Patch Day Security Notes, plus 16 additional security notes and three updates to previously released security notes.
Apart from Log4j, another important security note (CVSS score of 8.7) posted by SAP this week concerns cross-site scripting (XSS) and a code injection vulnerability in S/4HANA that exists because the app does not check uploaded and downloaded files.
SAP also fixed a couple of information disclosure vulnerabilities in Business One, an XSS bug in Enterprise Threat Detection, and an information disclosure vulnerability in NetWeaver Application Server for ABAP and the ABAP platform, all of the medium severity. In addition, the company updated three security notes released on December 2021 Patch Day.
SAP ended the year with a 2% increase in sales
SAP announced preliminary financial results for the Fourth Quarter and Full Year. In 2021 SAP gained 27.84 billion euros, which is 2% more than the previous year. Sales of software and cloud solutions during this time increased by 3% and exceeded 24 billion euros. Cloud business brought the company 9.42 billion euros of revenue, which is 17% more than a year ago.
The net profit of SAP at the end of 2021 was equal to 5.38 billion euros, having increased by 2% relative to the previous year.
Now SAP is actively attracting customers to the flagship product S / 4 HANA, competing with such giants as Oracle and Salesforce.com. In October-December 2021, cloud SAP S/4HANA revenue reached 329 million euros, surpassing the result of a year ago by 65%. For the whole of 2021, these revenues grew by 46%, to 1.09 billion euros.
In the fourth quarter of 2021, SAP signed contracts with such large companies as Adobe, Panasonic, IBM, Allianz Technology, CVS, Unipart Group, Samsung SDS, and Siemens.