SAP Security Notes - February 2022 - Safe O'Clock

SAP Security Notes – February 2022

February 8, 2022

On the 8th of February 2022, SAP Security Patch Day saw the release of 13 new Security Notes.

1 security note was released out-of-band.

Further, there were 5 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 9
Correction with high priority 3
Correction with medium priority 6
Correction with low priority 1

Highlights

February Patch Day meets us with a variation of Notes qualified as “HotNews” with a CVSS Score of 10.

Let’s take a look at 3123396 SAP Security Note with such Score, Request smuggling and request concatenation in SAP NetWeaver, the first in the list to go. As it is said, a significant amount of services like SAP NetWeaver ABAP and JAVA AppServer along with ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation. To mitigate the possibility of request prependation of the victim’s arbitrary data by an attacker, SAP strongly recommends patching all SAP Kernel and SAP Web Dispatcher components.
Further update list contains Security Notes numbered 3130920, 3142773 and 3139893 dedicated to Remote Code Execution vulnerability, associated with Apache Log4j 2 components with CVSS Score of 10 each. The following products as SAP Commerce, SAP Data Intelligence 3 and SAP Dynamic Authorization Management became more secure with help of security and version patches, the list of recommendations for Remote Code Execution vulnerability mitigation for different products and mitigation steps for the Control Center and Policy Controller servers are included. We also recommend taking a glance at the presented workarounds by SAP.

Then we can see a separate group of Security Notes dedicated to updating the Remote Code Execution vulnerability of Apache Log4j 2. All of them have a CVSS Score of 10 too. Workaround for 3132922 SAP Note was shortened and 3154684 Note was added to the 3131047 Note “Solution” list with the February update. The list of updates of previously released SAP Notes also contains standard Security updates for the browser control Google Chromium delivered with SAP Business Client SAP Security Note 2626260 first released in April 2018.

To configure the missing segregation of duties described in SAP Security Note 3140940, it is recommended to apply the latest LM_SERVICE version containing the fix described in informational SAP Note 3145008 along with SAP Note 3137764 to remove the links to the applications from the SAP Solution Manager Launchpad. The CVSS Score of 9.1 is still critical.

In the configuration details of the Virus Scanner Interface in 3112928 Security Note with the CVSS Score of 8.7 was changed in comparison to January for Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA.

Lastly, it would be good to pay attention to the highly prioritised 3140587 Security Note with a CVSS Score of 8.1, which describes SQL Injection vulnerability in SAP NetWeaver AS ABAP. The correction changes the SQL statement with a dynamic WHERE clause into a SQL statement with a static WHERE clause. For the 3123427 Security Note (CVSS Score of 7.1) dedicated to HTTP Request Smuggling in SAP NetWeaver Application Server Java, it is said that those vulnerabilities have been fixed by proper memory handling for HTTP pipeline requests.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-CST-IC 3123396 [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CEC-COM-CPS-WEB 3142773 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CA-DI-CP 3130920 Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Data Intelligence 3 (on-premise) HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
XX-PART-NXL 3139893 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Dynamic Authorization Management HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-NEO-SVC-IOT 3132922 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
IS-SE-CCO 3133772 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
XX-SER-SN 3131047 [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SV-SMG-DIA 3140940 [CVE-2022-22544] Missing segregation of duties in SAP Solution Manager Diagnostics Root Cause Analysis Tools HotNews 9.1 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
FI-FIO-AP 3112928 [CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA high 8.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N
BC-CST-IC 3123427 [CVE-2022-22532] HTTP Request Smuggling in SAP NetWeaver Application Server Java high 8.1 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
WP-WSR 3140587 [CVE-2022-22540] SQL Injection vulnerability in SAP NetWeaver AS ABAP (Workplace Server) high 7.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L
PY-PT 3126489 [CVE-2022-22535] Missing Authorization check in SAP ERP HCM medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
LO-MD-BP 3142092 [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-SYB-ASE 3140564 [CVE-2022-22528] Information Disclosure in SAP Adaptive Server Enterprise medium 5.6 CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H
BI-RA-WBI-FE-HTM 3126748 [CVE-2022-22546] XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BC-CCM-PRN-PC 3124994 [CVE-2022-22534] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver medium 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CA-VE-VEV 3134684 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer medium 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
BC-CST 3116223 [CVE-2022-22543] Denial of service (DOS) in SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) low 3.7 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – May 2024

On the 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. There were […]

Read more
SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK