SAP Security Notes - December 2022 - Safe O'Clock

SAP Security Notes – December 2022

December 13, 2022

On the 13th of December 2022, SAP Security Patch Day saw the release of 15 new Security Notes.

There was 3 update to previously released Patch Day Security Notes. 

Notes by severity

HotNews 5
Correction with high priority 4
Correction with medium priority 9
Correction with low priority 0

Highlights

On December Patch Day, the last one for this year, SAP presents 9 high-severity Notes with 5 of them rated as HotNews. Please see our overview on these. 

Starting the list of HotNews for today, we have 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10. With the added new iteration of an update to the list of support packages, this Note solution should be considered essential to implement.

Any file on Business Objects server could be replaced or edited even with user privileges through the vulnerability described in the Note 3239475Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform. With a CVSS Score of 9.9, the solution steps presented in this Note must be overviewed as the BOBJ is the standard part of client environments. Another Note dedicated to BOBJ security is 3229132Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CVSS Score of 8.2) – the Note was re-released with updated solution information about suitable workarounds.

SAP Commerce receives two security patches today: Security Note 3271523Remote Code Execution vulnerability associated with Apache Commons Text (CVSS Score of 9.8). Apache Commons Text versions could become the target for malicious remote code execution without the presented solution. The next is Security Note 3248255 with a CVSS Score of 8.0. It describes the vulnerability based on the inputs from untrusted sources, which could be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack.

User Defined Search and Messaging System of SAP NetWeaver get the specific mitigation steps this Patch Day: Note 3267780 – Improper access control in SAP NetWeaver Process Integration (CVSS Score of 9.4). Another HotNews patch brought to life is 3273480 Security Note – Improper access control in SAP NetWeaver Process Integration with a CVSS Score of 9.9.

For SAP BASIS: Note 3268172Code Injection vulnerability in SAP BASIS with CVSS Score of 8.8. An attacker could execute any of its public methods with any desirable parameters using the access system class through the unrestricted scope of the RFC function module.

The last to cover in our digest is Note 3271091Privilege escalation vulnerability in SAP Business Planning and Consolidation (CVSS Score of 8.5). Through the usage of transaction codes reserved for customer, an attacker could obtain the benefit of unauthorised transaction functionality for the further escalation of privileges.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BI-BIP-SRV 3239475 [CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
BC-XI-CON-UDS 3273480 [CVE-2022-41272] Improper access control in SAP NetWeaver Process Integration (User Defined Search) HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L
CEC-COM-CPS-COR 3271523 Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BC-XI-CON-MSG 3267780 [CVE-2022-41271] Improper access control in SAP NetWeaver Process Integration (Messaging System) HotNews 9.4 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H
BC-DB-HDB-POR 3268172 [CVE-2022-41264] Code Injection vulnerability in SAP BASIS high 8.8 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EPM-BPC-NW 3271091 [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation high 8.5 CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H
BI-BIP-ADM 3229132 [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects) high 8.2 CVSS:/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L
CEC-COM-CPS 3248255 [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce high 8.0 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
EPM-DSM-GEN 3266846 [CVE-2022-41274] Missing Authorization Checks in SAP Disclosure Management medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-BSP 3258950 Update 1 to Security Note 2872782 - [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP (BSP Test Application) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-EIM-ESH 3271313 [CVE-2022-41275] Open redirect in SAP Solution Manager (Enterprise Search) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-JAS-WEB 3262544 [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-BSP 2872782 [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP – Business Server Pages Test Application IT00 medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
SV-SMG-DIA-SRV-AGT 3265173 [CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent) medium 6.0 CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
BI-RA-WBI 3249648 [CVE-2022-41263] Missing authentication check vulnerability in SAP Business Objects Business Intelligence Platform (Web intelligence) medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N
SRM-ESO-SEC 3270399 [CVE-2022-41273] URL Redirection vulnerability in SAP Sourcing and SAP Contract Lifecycle Management medium 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N
CA-MDG-APP-CUS 3234755 Information Disclosure vulnerability in Master Data Governance medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK