SAP Security Notes – January 2022

January 11, 2022

On the 11th of January 2022, SAP Security Patch Day saw the release of 9 new Security Notes. There were 5 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews	1
Correction with high priority	2
Correction with medium priority	5
Correction with low priority	1

Highlights

On January Patch Day, SAP presents only three high-severity Notes with one of them rated as HotNews. Nevertheless, they are essential to cover in a brief explanation:

Starting with a single central Security Note 3131047 dedicated to Remote Code Execution vulnerability associated with Apache Log4j 2 component, rated as HotNews with a CVSS Score of 10. It collects a significant amount of Security Notes the main focus of which is the vulnerability mentioned, such as 3133772 (SAP Customer Checkout), 3132198 (Code Injection vulnerability in SAP Landscape Management) and so on. All in all, This Note contains two tables – the table of vulnerable notes itself as well as a table of summary information on workarounds and assistance with the vulnerabilities mitigation presented in the first table. The situation with Log4j 2 continues to be a serious issue. If you are using the Log4j utility, you should pay close attention to any updates to this list for keeping your systems safe and secure from potential intrusion. Though, mitigation steps for this set of vulnerabilities could be comfortably manageable with such a Security Note collection approach.

The next Security Note we want to write about is 3112928: Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA with CVSS Score of 8.7 and rated as a correction with high priority. It is described that the F0743 Create Single Payment application of SAP S/4HANA does not check uploaded or downloaded files. This vulnerability opens the window for potential Cross-Site Scripting attempts. It is recommended for S/4HANA users to study the solution steps presented.

The last Security Note with high severity and a CVSS Score of 8.4 this month is an update for the Code Injection vulnerability in the utility class for SAP NetWeaver AS ABAP 3123196 Note. The “Reason and Prerequisites” paragraph was changed from the last release in December. Now, along with several changes, it is mentioned that in case you are using a license-bound product Post-Copy Automation (PCA), you should check the validity of the releases following this Security Note in the description.

Summary

SAP Component	Number	Description	Priority	CVSS	CVSS Vector
XX-SER-SN	3131047	[CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component	HotNews	10.0	CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
FI-FIO-AP	3112928	[CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA	high	8.7	CVSS:3.0/AV:N/AC:L/PR:L/UI:P/S:C/C:N/I:H/A:H
BC-INS-TC-CNT	3123196	[CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP	high	8.4	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SBO-CRO-SEC	3101299	[CVE-2021-42066] Information Disclosure vulnerability in SAP Business One	medium	6.6	CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
SBO-CRO-SEC	3106528	[CVE-2021-44234] Information Disclosure vulnerability in SAP Business One	medium	6.5	CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
BC-SEC-ETD	3124597	[CVE-2022-22529] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection	medium	6.1	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-CCM-MON	3112710	[CVE-2021-42067] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform	medium	4.3	CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CA-VE-VEV	3121165	[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer	medium	4.3	CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
GRC-ACP	3080816	[CVE-2021-44233] Missing Authorization check in GRC Access Control	low	2.4	CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N