On the 12th of April 2021, SAP Security Patch Day saw the release of 20 new Security Notes.
There was 1 update to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 5 |
| Correction with high priority | 3 |
| Correction with medium priority | 12 |
| Correction with low priority | 1 |
Highlights
On April Patch Day SAP presents 8 high-severity Notes with 5 of them rated as HotNews.
Usual update of a 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10 starts our list today – an update of the Note released on August 2018. Another Security Note 3022622 – Code injection vulnerability in SAP Manufacturing Integration and Intelligence (CVSS Score of 9.1), was updated from March: 3158613 Security Note now could be used as the complete fix to implement.
Remote Code Execution vulnerability in SAP HANA Extended Application Services was explained in 3189428 Security Note – Remote Code Execution vulnerability associated with Spring Framework used in SAP HANA Extended Application Services (CVSS Score of 9.8).
3170990 Security Note – Central Security Note for Remote Code Execution vulnerability associated with Spring Framework (CVSS Score of 9.8) – may be considered as central Note for Remote Code Execution vulnerability associated with Spring Framework. It is expected that this note will be updated with additional components.
Summary
| SAP Component | Number | Title | CVSS Score | Priority | CVSS Vector |
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | 10 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| BC-XS-SEC | 3189428 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP HANA Extended Application Services | 9.8 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| XX-SER-SN | 3170990 | [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework | 9.8 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| MFG-MII | 3158613 | Update 1 to Security Note 3022622 – [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence | 9.1 | HotNews | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| MFG-MII | 3022622 | [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence | 9.1 | HotNews | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| BI-BIP-CMC | 3130497 | [CVE-2022-27671] CSRF token visible in one of the URL in SAP Business Intelligence Platform. | 8.2 | Correction with high priority | CVSS:/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:H |
| BC-CST-WDP | 3111311 | [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager) | 7.5 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H |
| CEC-COM-CPS | 3155609 | Privilege escalation vulnerability in Apache Tomcat server component of SAP Commerce | 7 | Correction with high priority | CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H |
| BI-BIP-ADM | 3137191 | [CVE-2022-22541] Information Disclosure vulnerability in SAP BusinessObjects Platform | 6.8 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
| EP-PIN-WPC | 3148377 | [CVE-2022-28217] Missing XML Validation vulnerability in SAP NW EP WPC | 6.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| BC-SYB-SQA | 3148094 | [CVE-2022-27670] Denial of service (DOS) in SQL Anywhere | 6.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| CA-VE-VEV | 3143437 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer | 6.5 | Correction with medium priority | CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L |
| EP-PIN-PRT | 3163583 | [CVE-2022-26105] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal | 6.1 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BI-DEV-WEB | 3055044 | [CVE-2022-28213] Missing XML Validation vulnerability in SAP BusinessObjects Business Intelligence Platform (dswsbobje – SOAP Web services) | 5.4 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:L |
| BC-ILM-DAS | 3152442 | [CVE-2022-27669] Missing Authentication check in XML Data Archiving Service | 5.3 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| BC-CST-WDP | 3111293 | [CVE-2022-28773] Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager) | 4.9 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:N/I:N/A:H |
| BI-BIP-BIW | 3150845 | [CVE-2022-28216] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI Workspace) | 4.3 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |
| XX-PART-ADB-IFM | 3138299 | [CVE-2021-44832] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0) | 4.1 | Correction with medium priority | CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:L/I:L/A:L |
| SV-FRN-INF-SDA | 3159091 | [CVE-2022-27657] Directory Traversal vulnerability in SAP Focused Run (Simple Diagnostics Agent 1.0) | 2.7 | Correction with low priority | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N |
