On the 8th of February 2022, SAP Security Patch Day saw the release of 13 new Security Notes.
1 security note was released out-of-band.
Further, there were 5 updates to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 9 |
| Correction with high priority | 3 |
| Correction with medium priority | 6 |
| Correction with low priority | 1 |
Highlights
February Patch Day meets us with a variation of Notes qualified as “HotNews” with a CVSS Score of 10.
Let’s take a look at 3123396 SAP Security Note with such Score, Request smuggling and request concatenation in SAP NetWeaver, the first in the list to go. As it is said, a significant amount of services like SAP NetWeaver ABAP and JAVA AppServer along with ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable to request smuggling and request concatenation. To mitigate the possibility of request prependation of the victim’s arbitrary data by an attacker, SAP strongly recommends patching all SAP Kernel and SAP Web Dispatcher components.
Further update list contains Security Notes numbered 3130920, 3142773 and 3139893 dedicated to Remote Code Execution vulnerability, associated with Apache Log4j 2 components with CVSS Score of 10 each. The following products as SAP Commerce, SAP Data Intelligence 3 and SAP Dynamic Authorization Management became more secure with help of security and version patches, the list of recommendations for Remote Code Execution vulnerability mitigation for different products and mitigation steps for the Control Center and Policy Controller servers are included. We also recommend taking a glance at the presented workarounds by SAP.
Then we can see a separate group of Security Notes dedicated to updating the Remote Code Execution vulnerability of Apache Log4j 2. All of them have a CVSS Score of 10 too. Workaround for 3132922 SAP Note was shortened and 3154684 Note was added to the 3131047 Note “Solution” list with the February update. The list of updates of previously released SAP Notes also contains standard Security updates for the browser control Google Chromium delivered with SAP Business Client SAP Security Note 2626260 first released in April 2018.
To configure the missing segregation of duties described in SAP Security Note 3140940, it is recommended to apply the latest LM_SERVICE version containing the fix described in informational SAP Note 3145008 along with SAP Note 3137764 to remove the links to the applications from the SAP Solution Manager Launchpad. The CVSS Score of 9.1 is still critical.
In the configuration details of the Virus Scanner Interface in 3112928 Security Note with the CVSS Score of 8.7 was changed in comparison to January for Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA.
Lastly, it would be good to pay attention to the highly prioritised 3140587 Security Note with a CVSS Score of 8.1, which describes SQL Injection vulnerability in SAP NetWeaver AS ABAP. The correction changes the SQL statement with a dynamic WHERE clause into a SQL statement with a static WHERE clause. For the 3123427 Security Note (CVSS Score of 7.1) dedicated to HTTP Request Smuggling in SAP NetWeaver Application Server Java, it is said that those vulnerabilities have been fixed by proper memory handling for HTTP pipeline requests.
Summary
| SAP Component | Number | Description | Priority | CVSS | CVSS Vector |
|---|---|---|---|---|---|
| BC-CST-IC | 3123396 | [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher | HotNews |
10
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CEC-COM-CPS-WEB | 3142773 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce | HotNews |
10
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CA-DI-CP | 3130920 | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Data Intelligence 3 (on-premise) | HotNews |
10
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| XX-PART-NXL | 3139893 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Dynamic Authorization Management | HotNews |
10
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| BC-NEO-SVC-IOT | 3132922 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform | HotNews |
10
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| IS-SE-CCO | 3133772 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout | HotNews |
10
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| XX-SER-SN | 3131047 | [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component | HotNews |
10
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| BC-FES-BUS-DSK | 2622660 | Security updates for the browser control Google Chromium delivered with SAP Business Client | HotNews |
10
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| SV-SMG-DIA | 3140940 | [CVE-2022-22544] Missing segregation of duties in SAP Solution Manager Diagnostics Root Cause Analysis Tools | HotNews |
9.1
|
CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H |
| FI-FIO-AP | 3112928 | [CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA | high |
8.7
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:N |
| BC-CST-IC | 3123427 | [CVE-2022-22532] HTTP Request Smuggling in SAP NetWeaver Application Server Java | high |
8.1
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H |
| WP-WSR | 3140587 | [CVE-2022-22540] SQL Injection vulnerability in SAP NetWeaver AS ABAP (Workplace Server) | high |
7.1
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:L |
| PY-PT | 3126489 | [CVE-2022-22535] Missing Authorization check in SAP ERP HCM | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| LO-MD-BP | 3142092 | [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) | medium |
6.5
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| BC-SYB-ASE | 3140564 | [CVE-2022-22528] Information Disclosure in SAP Adaptive Server Enterprise | medium |
5.6
|
CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:C/C:N/I:N/A:H |
| BI-RA-WBI-FE-HTM | 3126748 | [CVE-2022-22546] XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) | medium |
5.4
|
CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N |
| BC-CCM-PRN-PC | 3124994 | [CVE-2022-22534] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver | medium |
4.7
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
| CA-VE-VEV | 3134684 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer | medium |
4.3
|
CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L |
| BC-CST | 3116223 | [CVE-2022-22543] Denial of service (DOS) in SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) | low |
3.7
|
CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L |
