SAP Security Notes – December 2022

December 13, 2022

On the 13th of December 2022, SAP Security Patch Day saw the release of 15 new Security Notes.

There was 3 update to previously released Patch Day Security Notes.

Notes by severity

HotNews	5
Correction with high priority	4
Correction with medium priority	9
Correction with low priority	0

Highlights

On December Patch Day, the last one for this year, SAP presents 9 high-severity Notes with 5 of them rated as HotNews. Please see our overview on these.

Starting the list of HotNews for today, we have 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10. With the added new iteration of an update to the list of support packages, this Note solution should be considered essential to implement.

Any file on Business Objects server could be replaced or edited even with user privileges through the vulnerability described in the Note 3239475 – Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform. With a CVSS Score of 9.9, the solution steps presented in this Note must be overviewed as the BOBJ is the standard part of client environments. Another Note dedicated to BOBJ security is 3229132 – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CVSS Score of 8.2) – the Note was re-released with updated solution information about suitable workarounds.

SAP Commerce receives two security patches today: Security Note 3271523 – Remote Code Execution vulnerability associated with Apache Commons Text (CVSS Score of 9.8). Apache Commons Text versions could become the target for malicious remote code execution without the presented solution. The next is Security Note 3248255 with a CVSS Score of 8.0. It describes the vulnerability based on the inputs from untrusted sources, which could be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack.

User Defined Search and Messaging System of SAP NetWeaver get the specific mitigation steps this Patch Day: Note 3267780 – Improper access control in SAP NetWeaver Process Integration (CVSS Score of 9.4). Another HotNews patch brought to life is 3273480 Security Note – Improper access control in SAP NetWeaver Process Integration with a CVSS Score of 9.9.

For SAP BASIS: Note 3268172 – Code Injection vulnerability in SAP BASIS with CVSS Score of 8.8. An attacker could execute any of its public methods with any desirable parameters using the access system class through the unrestricted scope of the RFC function module.

The last to cover in our digest is Note 3271091 – Privilege escalation vulnerability in SAP Business Planning and Consolidation (CVSS Score of 8.5). Through the usage of transaction codes reserved for customer, an attacker could obtain the benefit of unauthorised transaction functionality for the further escalation of privileges.

Summary

SAP Component	Number	Description	Priority	CVSS	CVSS Vector
BC-FES-BUS-DSK	2622660	Security updates for the browser control Google Chromium delivered with SAP Business Client	HotNews	10.0	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BI-BIP-SRV	3239475	[CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform	HotNews	9.9	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-XI-CON-UDS	3273480	[CVE-2022-41272] Improper access control in SAP NetWeaver Process Integration (User Defined Search)	HotNews	9.9	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
CEC-COM-CPS-COR	3271523	Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce	HotNews	9.8	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BC-XI-CON-MSG	3267780	[CVE-2022-41271] Improper access control in SAP NetWeaver Process Integration (Messaging System)	HotNews	9.4	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
BC-DB-HDB-POR	3268172	[CVE-2022-41264] Code Injection vulnerability in SAP BASIS	high	8.8	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPM-BPC-NW	3271091	[CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation	high	8.5	CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
BI-BIP-ADM	3229132	[CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects)	high	8.2	CVSS:/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
CEC-COM-CPS	3248255	[CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce	high	8.0	CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPM-DSM-GEN	3266846	[CVE-2022-41274] Missing Authorization Checks in SAP Disclosure Management	medium	6.5	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-BSP	3258950	Update 1 to Security Note 2872782 - [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP (BSP Test Application)	medium	6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-EIM-ESH	3271313	[CVE-2022-41275] Open redirect in SAP Solution Manager (Enterprise Search)	medium	6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-JAS-WEB	3262544	[CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service)	medium	6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-BSP	2872782	[CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP вЂ“ Business Server Pages Test Application IT00	medium	6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SV-SMG-DIA-SRV-AGT	3265173	[CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent)	medium	6.0	CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
BI-RA-WBI	3249648	[CVE-2022-41263] Missing authentication check vulnerability in SAP Business Objects Business Intelligence Platform (Web intelligence)	medium	4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
SRM-ESO-SEC	3270399	[CVE-2022-41273] URL Redirection vulnerability in SAP Sourcing and SAP Contract Lifecycle Management	medium	4.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CA-MDG-APP-CUS	3234755	Information Disclosure vulnerability in Master Data Governance	medium	4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N