SAP Security Notes - April 2022 - Safe O'Clock

SAP Security Notes – April 2022

April 12, 2022

On April of 12th, SAP released 24 new security notes. Also, 10 previously released notes were updated.

Notes by severity

HotNews — 8

Correction with high priority — 7

Correction with medium priority — 17

Correction with low priority — 2

Highlights

The first critical note is a note update with CVSS Score 10 – 2622660 “Security updates for the browser control Google Chromium delivered with SAP Business Client” with updated ‘Solution’ and ‘Support Packages & Patches’ information.

The next note with CVSS Score 10 was the February note update 3123396 “[CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher. This vulnerability allows an unauthorized user to result in complete compromise of Confidentiality, Integrity and Availability of the system. There is a Workaround in this note, but you need to evaluate the applicability for your SAP landscape.

Note of March 2021 Patch Day 3022622 was updated to “[CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence” with CVSS Score 9.9. At the moment, the decision of the note is considered obsolete and is no longer valid. For a complete fix, you need to implement the SAP security note 3158613, which is also present in this patch day with CVSS Score 9.1.

Closed Remote Code Execution vulnerability in Spring Framework for a number of products. Summarizing all this note with CVSS Score 9.8 is 3170990 [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework. Read this note to find out which products are affected by the vulnerability.

Note 3080567 with CVSS Score 8.9 fixing the HTTP Request Smuggling vulnerability in SAP Web Dispatcher has been updated since September 2021 Patch Day. Updated Support Packages & Patches”. Kernel 7.22 was updated with Emergency SP Stack Kernel PL1101 information. Updated February 2022 note 3123427 “HTTP Request Smuggling in SAP NetWeaver Application Server Java” with CVSS Score 8.1 along the same lines.

For SAP BusinessObjects 2 critical vulnerabilities are closed: note 3130497 with CVSS Score 8.2 (disclosure of information due to open CSRF token in some URLs) and 2998510 CVSS Score 8.2 (disclosure of information about credentials when updating CMS).

Note 3149805 with CVSS Score 8.2 – [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori – has been updated since last patch day. This note has been re-released with the updated ‘validity’ section. The validity of the correction instruction extended to SAP_UI 753.

Vulnerability CVSS Score 7.5 3111311 – [CVE-2022-28772] Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager) has been closed. In this note, there is a Workaround if the update is not possible.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-CST-IC 3123396 [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
XX-SER-SN 3170990 [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BC-XS-SEC 3189428 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP HANA Extended Application Services HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
IS-SE-CCO 3187290 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Checkout HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BC-SYB-PD 3189429 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in PowerDesigner Web (upto including 16.7 SP05 PL01) HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
MFG-MII 3022622 [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
MFG-MII 3158613 Update 1 to Security Note 3022622 – [CVE-2021-21480] Code injection vulnerability in SAP Manufacturing Integration and Intelligence HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
BC-CST-WDP 3080567 [CVE-2021-38162] HTTP Request Smuggling in SAP Web Dispatcher high 8.9 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:L
BI-BIP-CMC 3130497 [CVE-2022-27671] CSRF token visible in one of the URL in SAP Business Intelligence Platform high 8.2 CVSS:/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:H/A:H
CA-FLP-FE-COR 3149805 [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad high 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
BC-CST-IC 3123427 [CVE-2022-22532] HTTP Request Smuggling in SAP NetWeaver Application Server Java high 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
BI-BIP-INS 2998510 [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update high 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BC-CST-WDP 3111311 [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager) high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
CEC-COM-CPS 3155609 Privilege escalation vulnerability in Apache Tomcat server component of SAP Commerce high 7 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
BI-BIP-ADM 3137191 [CVE-2022-22541] Information Disclosure vulnerability in SAP BusinessObjects Platform medium 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
CA-VE-VEV 3143437 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer medium 6.5 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L
BC-SYB-SQA 3148094 [CVE-2022-27670] Denial of service (DOS) in SQL Anywhere medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EP-PIN-WPC 3148377 [CVE-2022-28217] Missing XML Validation vulnerability in SAP NW EP WPC medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
LO-MD-BP 3142092 [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
CA-UI5-COR-FND 3163703 Multiple Vulnerabilities in URI.js bundled with SAPUI5 medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-PRT 3163583 [CVE-2022-26105] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
CA-GTF-VBZ 3126557 [CVE-2022-28770] Cross-Site Scripting (XSS) vulnerability in SAPUI5 (vbm library) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for February 2024

SAP strengthens AI growth areas  In recent years, artificial intelligence has rightfully begun to gain increasing popularity among developers – […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK