On the 11th of January 2022, SAP Security Patch Day saw the release of 9 new Security Notes. There were 5 updates to previously released Patch Day Security Notes.
Notes by severity
|Correction with high priority||2|
|Correction with medium priority||5|
|Correction with low priority||1|
On January Patch Day, SAP presents only three high-severity Notes with one of them rated as HotNews. Nevertheless, they are essential to cover in a brief explanation:
Starting with a single central Security Note 3131047 dedicated to Remote Code Execution vulnerability associated with Apache Log4j 2 component, rated as HotNews with a CVSS Score of 10. It collects a significant amount of Security Notes the main focus of which is the vulnerability mentioned, such as 3133772 (SAP Customer Checkout), 3132198 (Code Injection vulnerability in SAP Landscape Management) and so on. All in all, This Note contains two tables – the table of vulnerable notes itself as well as a table of summary information on workarounds and assistance with the vulnerabilities mitigation presented in the first table. The situation with Log4j 2 continues to be a serious issue. If you are using the Log4j utility, you should pay close attention to any updates to this list for keeping your systems safe and secure from potential intrusion. Though, mitigation steps for this set of vulnerabilities could be comfortably manageable with such a Security Note collection approach.
The next Security Note we want to write about is 3112928: Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA with CVSS Score of 8.7 and rated as a correction with high priority. It is described that the F0743 Create Single Payment application of SAP S/4HANA does not check uploaded or downloaded files. This vulnerability opens the window for potential Cross-Site Scripting attempts. It is recommended for S/4HANA users to study the solution steps presented.
The last Security Note with high severity and a CVSS Score of 8.4 this month is an update for the Code Injection vulnerability in the utility class for SAP NetWeaver AS ABAP 3123196 Note. The “Reason and Prerequisites” paragraph was changed from the last release in December. Now, along with several changes, it is mentioned that in case you are using a license-bound product Post-Copy Automation (PCA), you should check the validity of the releases following this Security Note in the description.
|SAP Component||Number||Description||Priority||CVSS||CVSS Vector|
|XX-SER-SN||3131047||[CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component||HotNews||10.0||CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H|
|FI-FIO-AP||3112928||[CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA||high||8.7||CVSS:3.0/AV:N/AC:L/PR:L/UI:P/S:C/C:N/I:H/A:H|
|BC-INS-TC-CNT||3123196||[CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP||high||8.4||CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H|
|SBO-CRO-SEC||3101299||[CVE-2021-42066] Information Disclosure vulnerability in SAP Business One||medium||6.6||CVSS:3.0/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H|
|SBO-CRO-SEC||3106528||[CVE-2021-44234] Information Disclosure vulnerability in SAP Business One||medium||6.5||CVSS:3.0/AV:L/AC:L/PR:H/UI:R/S:U/C:H/I:H/A:H|
|BC-SEC-ETD||3124597||[CVE-2022-22529] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection||medium||6.1||CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N|
|BC-CCM-MON||3112710||[CVE-2021-42067] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform||medium||4.3||CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N|
|CA-VE-VEV||3121165||[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer||medium||4.3||CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:L|
|GRC-ACP||3080816||[CVE-2021-44233] Missing Authorization check in GRC Access Control||low||2.4||CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:U/C:L/I:N/A:N|