SAP Security Notes - July 2022 - Safe O'Clock

SAP Security Notes – July 2022

July 12, 2022

On 12th of July 2022, 20 new Patch Day Security Notes were added. 3 previously released notes were also updated.

Notes by severity

HotNews — 0

Correction with high priority — 4

Correction with medium priority — 17

Correction with low priority — 2

Highlights

The most critical in this patch was the standard update of the note with CVSS Score 8.3 3221288 “[CVE-2022-35228] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)”. The vulnerability allows an unauthenticated user to retrieve token information over the network to which access would otherwise be restricted. But to exploit this, an attacker needs to use methods such as sniffing or social engineering.

Several critical vulnerabilities have been closed for SAP Business One. The first of them is the Information Disclosure vulnerability through the integration script with SAP HANA in the note with CVSS Score 7.6 3212997. This note also has a Workaround that will allow you to close the vulnerability in a limited way if the system cannot be updated.

The second note 3157613 with CVSS Score 7.5 closes the Missing Authentication check vulnerability. By exploiting it, it is possible to make the application inaccessible. In this note, Workaround is possible, but you need to evaluate its applicability in your systems.

The third note 3191012 with CVSS Score 7.4 closes the Code Injection vulnerability. In this case, a user with low privileges can take control of the application. Read Solution carefully as there is no normal workaround for this vulnerability.

Summary

SAP Component Number Title CVSS Score  Priority CVSS Vector
BI-BIP-CMC 3221288 [CVE-2022-35228] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console) 8.3 Correction with high priority CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
SBO-CRO-SEC 3212997 [CVE-2022-32249] Information Disclosure vulnerability in SAP Business One 7.6 Correction with high priority CVSS:3.0/AV:A/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
SBO-CRO-SEC 3157613 [CVE-2022-28771] Missing Authentication check in SAP Business One (License service API) 7.5 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
SBO-CRO-SEC 3191012 [CVE-2022-31593] Code Injection vulnerability in SAP Business One 7.4 Correction with high priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
BI-BIP-ADM 3169239 [CVE-2022-29619] Information Disclosure to user Administrator in SAP BusinessObjects Business Intelligence Platform 4.x 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:N
LO-MD-BP 3142092 [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
BC-ABA-LI 3165801 [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EP-PIN-URL 3207902 [CVE-2022-35172] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-AI 3208819 [CVE-2022-35170] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-PRT 3208880 [CVE-2022-35225] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-TOL 3209557 [CVE-2022-32247] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-GPA 3210779 [CVE-2022-35224] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Portal 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-WPC 3211760 [CVE-2022-35227] Cross-Site Scripting (XSS) vulnerability in SAP NW EP WPC 6.1 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-BIP-SRV 3194361 [CVE-2022-35169] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (LCM) 6 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:L/A:L

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK