On the 13th of December 2022, SAP Security Patch Day saw the release of 15 new Security Notes.
There was 3 update to previously released Patch Day Security Notes.
Notes by severity
HotNews | 5 |
Correction with high priority | 4 |
Correction with medium priority | 9 |
Correction with low priority | 0 |
Highlights
On December Patch Day, the last one for this year, SAP presents 9 high-severity Notes with 5 of them rated as HotNews. Please see our overview on these.
Starting the list of HotNews for today, we have 2622660 Security Note – Security updates for the browser control Google Chromium delivered with SAP Business Client with a CVSS Score of 10. With the added new iteration of an update to the list of support packages, this Note solution should be considered essential to implement.
Any file on Business Objects server could be replaced or edited even with user privileges through the vulnerability described in the Note 3239475 – Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform. With a CVSS Score of 9.9, the solution steps presented in this Note must be overviewed as the BOBJ is the standard part of client environments. Another Note dedicated to BOBJ security is 3229132 – Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CVSS Score of 8.2) – the Note was re-released with updated solution information about suitable workarounds.
SAP Commerce receives two security patches today: Security Note 3271523 – Remote Code Execution vulnerability associated with Apache Commons Text (CVSS Score of 9.8). Apache Commons Text versions could become the target for malicious remote code execution without the presented solution. The next is Security Note 3248255 with a CVSS Score of 8.0. It describes the vulnerability based on the inputs from untrusted sources, which could be leveraged by an attacker to execute a DOM Cross-Site Scripting (XSS) attack.
User Defined Search and Messaging System of SAP NetWeaver get the specific mitigation steps this Patch Day: Note 3267780 – Improper access control in SAP NetWeaver Process Integration (CVSS Score of 9.4). Another HotNews patch brought to life is 3273480 Security Note – Improper access control in SAP NetWeaver Process Integration with a CVSS Score of 9.9.
For SAP BASIS: Note 3268172 – Code Injection vulnerability in SAP BASIS with CVSS Score of 8.8. An attacker could execute any of its public methods with any desirable parameters using the access system class through the unrestricted scope of the RFC function module.
The last to cover in our digest is Note 3271091 – Privilege escalation vulnerability in SAP Business Planning and Consolidation (CVSS Score of 8.5). Through the usage of transaction codes reserved for customer, an attacker could obtain the benefit of unauthorised transaction functionality for the further escalation of privileges.
Summary
SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
---|---|---|---|---|---|
BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews | 10.0 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
BI-BIP-SRV | 3239475 | [CVE-2022-41267] Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform | HotNews | 9.9 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
BC-XI-CON-UDS | 3273480 | [CVE-2022-41272] Improper access control in SAP NetWeaver Process Integration (User Defined Search) | HotNews | 9.9 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:L |
CEC-COM-CPS-COR | 3271523 | Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce | HotNews | 9.8 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
BC-XI-CON-MSG | 3267780 | [CVE-2022-41271] Improper access control in SAP NetWeaver Process Integration (Messaging System) | HotNews | 9.4 | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:H |
BC-DB-HDB-POR | 3268172 | [CVE-2022-41264] Code Injection vulnerability in SAP BASIS | high | 8.8 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
EPM-BPC-NW | 3271091 | [CVE-2022-41268] Privilege escalation vulnerability in SAP Business Planning and Consolidation | high | 8.5 | CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H |
BI-BIP-ADM | 3229132 | [CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects) | high | 8.2 | CVSS:/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:L/A:L |
CEC-COM-CPS | 3248255 | [CVE-2022-41266] Cross-Site Scripting (XSS) vulnerability in SAP Commerce | high | 8.0 | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N |
EPM-DSM-GEN | 3266846 | [CVE-2022-41274] Missing Authorization Checks in SAP Disclosure Management | medium | 6.5 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
BC-BSP | 3258950 | Update 1 to Security Note 2872782 - [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP (BSP Test Application) | medium | 6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
BC-EIM-ESH | 3271313 | [CVE-2022-41275] Open redirect in SAP Solution Manager (Enterprise Search) | medium | 6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
BC-JAS-WEB | 3262544 | [CVE-2022-41262] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS for Java (Http Provider Service) | medium | 6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
BC-BSP | 2872782 | [CVE-2020-6215] URL Redirection vulnerability in SAP NetWeaver AS ABAP – Business Server Pages Test Application IT00 | medium | 6.1 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
SV-SMG-DIA-SRV-AGT | 3265173 | [CVE-2022-41261] Improper Access Control in SAP Solution Manager (Diagnostic Agent) | medium | 6.0 | CVSS:3.0/AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
BI-RA-WBI | 3249648 | [CVE-2022-41263] Missing authentication check vulnerability in SAP Business Objects Business Intelligence Platform (Web intelligence) | medium | 4.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N |
SRM-ESO-SEC | 3270399 | [CVE-2022-41273] URL Redirection vulnerability in SAP Sourcing and SAP Contract Lifecycle Management | medium | 4.3 | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N |
CA-MDG-APP-CUS | 3234755 | Information Disclosure vulnerability in Master Data Governance | medium | 4.3 | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N |