SAP Security Notes - July 2022 - Safe O'Clock

SAP Security Notes – July 2022

July 12, 2022

On 12th of July 2022, 20 new Patch Day Security Notes were added. 3 previously released notes were also updated.

Notes by severity

HotNews — 0

Correction with high priority — 4

Correction with medium priority — 17

Correction with low priority — 2

Highlights

The most critical in this patch was the standard update of the note with CVSS Score 8.3 3221288 “[CVE-2022-35228] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)”. The vulnerability allows an unauthenticated user to retrieve token information over the network to which access would otherwise be restricted. But to exploit this, an attacker needs to use methods such as sniffing or social engineering.

Several critical vulnerabilities have been closed for SAP Business One. The first of them is the Information Disclosure vulnerability through the integration script with SAP HANA in the note with CVSS Score 7.6 3212997. This note also has a Workaround that will allow you to close the vulnerability in a limited way if the system cannot be updated.

The second note 3157613 with CVSS Score 7.5 closes the Missing Authentication check vulnerability. By exploiting it, it is possible to make the application inaccessible. In this note, Workaround is possible, but you need to evaluate its applicability in your systems.

The third note 3191012 with CVSS Score 7.4 closes the Code Injection vulnerability. In this case, a user with low privileges can take control of the application. Read Solution carefully as there is no normal workaround for this vulnerability.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BI-BIP-CMC 3221288 [CVE-2022-35228] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console) high 8.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
SBO-CRO-SEC 3212997 [CVE-2022-32249] Information Disclosure vulnerability in SAP Business One high 7.6 CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
SBO-CRO-SEC 3157613 [CVE-2022-28771] Missing Authentication check in SAP Business One (License service API) high 7.5 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SBO-CRO-SEC 3191012 [CVE-2022-31593] Code Injection vulnerability in SAP Business One high 7.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
BI-BIP-ADM 3169239 [CVE-2022-29619] Information Disclosure to user Administrator in SAP BusinessObjects Business Intelligence Platform 4.x medium 6.5 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
LO-MD-BP 3142092 [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-ABA-LI 3165801 [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EP-PIN-URL 3207902 [CVE-2022-35172] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-AI 3208819 [CVE-2022-35170] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-PRT 3208880 [CVE-2022-35225] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-TOL 3209557 [CVE-2022-32247] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-GPA 3210779 [CVE-2022-35224] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Portal medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-WPC 3211760 [CVE-2022-35227] Cross-Site Scripting (XSS) vulnerability in SAP NW EP WPC medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-BIP-SRV 3194361 [CVE-2022-35169] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (LCM) medium 6 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – May 2024

On the 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. There were […]

Read more
SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK