SAP Security Notes - March 2022 - Safe O'Clock

SAP Security Notes – March 2022

March 8, 2022

On March of 8th, SAP released 12 new Patch Day Security Notes. 4 previously released notes were also updated.

Notes by severity

HotNews — 4

Correction with high priority — 1

Correction with medium priority — 10

Correction with low priority — 1

Highlights

The first critical note is the update of the February patch note 3123396 with CVSS Score 10. It closes the Request smuggling and request concatenation vulnerability in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher. This note has been re-released with updated text. This note contains Workaround if it is not possible to update products.

The following note is an update to note 3131047 – [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component. New note 3154684 has been added that fixes a vulnerability in SAP Work Manager. There is a Workaround if it is not possible to update products and a variant with Troubleshooting, which describes how to remove the vulnerable item.

The next note with CVSS Score 9.3 is 3145987 Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0). By exploiting this note, an attacker can gain access via localhost to the Simple Diagnostics Agent via http port 3005. In this case, the user can gain administrative rights.

The only high priority note with CVSS Score 8.2 is hotfix 3149805 – [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad. By exploiting this vulnerability, an attacker could hijack user privileges and perform dangerous actions.

Summary 

SAP Component Number Description Priority CVSS CVSS Vector
BC-CST-IC 3123396 [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
BC-CST-IC 3123396 [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
MOB-SYC-SAP-WM 3154684 [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Work Manager HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
XX-SER-SN 3131047 [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
SV-FRN-INF-SDA 3145987 [CVE-2022-24396] Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0) HotNews 9.3 CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
CA-FLP-FE-COR 3149805 [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad high 8.2 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N
LO-MD-BP 3142092 [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
EP-PIN-NAV 3146261 [CVE-2022-24395] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
EP-PIN-NAV 3146260 [CVE-2022-24397] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-JAS-WEB 1753378 Directory traversal in Web Container medium 5.3 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK