SAP Security Notes - January 2022 - Safe O'Clock

SAP Security Notes – January 2022

January 11, 2022

On the 11th of January 2022, SAP Security Patch Day saw the release of 9 new Security Notes. There were 5 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 1
Correction with high priority 2
Correction with medium priority 5
Correction with low priority 1

Highlights

On January Patch Day, SAP presents only three high-severity Notes with one of them rated as HotNews. Nevertheless, they are essential to cover in a brief explanation:

Starting with a single central Security Note 3131047 dedicated to Remote Code Execution vulnerability associated with Apache Log4j 2 component, rated as HotNews with a CVSS Score of 10. It collects a significant amount of Security Notes the main focus of which is the vulnerability mentioned, such as 3133772 (SAP Customer Checkout), 3132198 (Code Injection vulnerability in SAP Landscape Management) and so on. All in all, This Note contains two tables – the table of vulnerable notes itself as well as a table of summary information on workarounds and assistance with the vulnerabilities mitigation presented in the first table. The situation with Log4j 2 continues to be a serious issue. If you are using the Log4j utility, you should pay close attention to any updates to this list for keeping your systems safe and secure from potential intrusion. Though, mitigation steps for this set of vulnerabilities could be comfortably manageable with such a Security Note collection approach.

The next Security Note we want to write about is 3112928: Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA with CVSS Score of 8.7 and rated as a correction with high priority. It is described that the F0743 Create Single Payment application of SAP S/4HANA does not check uploaded or downloaded files. This vulnerability opens the window for potential Cross-Site Scripting attempts. It is recommended for S/4HANA users to study the solution steps presented.


The last Security Note with high severity and a CVSS Score of 8.4 this month is an update for the Code Injection vulnerability in the utility class for SAP NetWeaver AS ABAP 3123196 Note. The “Reason and Prerequisites” paragraph was changed from the last release in December. Now, along with several changes, it is mentioned that in case you are using a license-bound product Post-Copy Automation (PCA), you should check the validity of the releases following this Security Note in the description.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
XX-SER-SN 3131047 [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component HotNews 10.0 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
FI-FIO-AP 3112928 [CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA high 8.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:P/S:C/C:N/I:H/A:H
BC-INS-TC-CNT 3123196 [CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP high 8.4 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
SBO-CRO-SEC 3101299 [CVE-2021-42066] Information Disclosure vulnerability in SAP Business One medium 6.6 CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
SBO-CRO-SEC 3106528 [CVE-2021-44234] Information Disclosure vulnerability in SAP Business One medium 6.5 CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H
BC-SEC-ETD 3124597 [CVE-2022-22529] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-CCM-MON 3112710 [CVE-2021-42067] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
CA-VE-VEV 3121165 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer medium 4.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L
GRC-ACP 3080816 [CVE-2021-44233] Missing Authorization check in GRC Access Control low 2.4 CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for February 2024

SAP strengthens AI growth areas  In recent years, artificial intelligence has rightfully begun to gain increasing popularity among developers – […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK