On March of 8th, SAP released 12 new Patch Day Security Notes. 4 previously released notes were also updated.
Notes by severity
HotNews — 4
Correction with high priority — 1
Correction with medium priority — 10
Correction with low priority — 1
Highlights
The first critical note is the update of the February patch note 3123396 with CVSS Score 10. It closes the Request smuggling and request concatenation vulnerability in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher. This note has been re-released with updated text. This note contains Workaround if it is not possible to update products.
The following note is an update to note 3131047 – [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component. New note 3154684 has been added that fixes a vulnerability in SAP Work Manager. There is a Workaround if it is not possible to update products and a variant with Troubleshooting, which describes how to remove the vulnerable item.
The next note with CVSS Score 9.3 is 3145987 Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0). By exploiting this note, an attacker can gain access via localhost to the Simple Diagnostics Agent via http port 3005. In this case, the user can gain administrative rights.
The only high priority note with CVSS Score 8.2 is hotfix 3149805 – [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad. By exploiting this vulnerability, an attacker could hijack user privileges and perform dangerous actions.
Summary
| SAP Component | Number | Title | CVSS Score | Priority | CVSS Vector |
| BC-CST-IC | 3123396 | [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher | 10 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| BC-CST-IC | 3123396 | [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher | 10 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| MOB-SYC-SAP-WM | 3154684 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Work Manager | 10 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| XX-SER-SN | 3131047 | [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component | 10 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| SV-FRN-INF-SDA | 3145987 | [CVE-2022-24396] Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0) | 9.3 | HotNews | CVSS:3.0/AV:L/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
| CA-FLP-FE-COR | 3149805 | [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad | 8.2 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:H/A:N |
| BC-JAS-WEB | 1753378 | Directory traversal in Web Container | 5.3 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N |
| LO-MD-BP | 3142092 | [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) | 6.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| EP-PIN-NAV | 3146261 | [CVE-2022-24395] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal | 6.1 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| EP-PIN-NAV | 3146260 | [CVE-2022-24397] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal | 6.1 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
