SAP Security Notes - May 2022 - Safe O'Clock

SAP Security Notes – May 2022

May 10, 2022

On 10th of May 2022, SAP released 8 new security notes and 4 updates to previously published Patch Day security notes. 

Notes by severity

HotNews — 4

Correction with high priority — 2

Correction with medium priority — 8

Correction with low priority — 0

Highlights

The first critical note is the update of the April note with CVSS Score 9.8 – 3170990 “Central Security Note for Remote Code Execution vulnerability associated with Spring Framework”. In the “Solution” section, new notes 3189409 have been added to the main list of notes, which fixes a vulnerability for SAP Business One Cloud, 3171258 for SAP Commerce and 3171258 for SAP Customer Profitability Analytics.

Note 3145046 with CVSS Score 8.3 fixed Cross-Site Scripting (XSS) vulnerability in administration UI for NW ABAP JAVA and SAP Webdispatcher. It is recommended to apply fixes or one of several Workaround Options that are presented in the note.

Critical Information Disclosure vulnerability for SAP BusinessObjects Central Management Server fixed in note 2998510 with CVSS Score 7.8. It closes the possible appearance of authentication credentials in Sysmon event logs during a system upgrade.

Summary

SAP Component Number Title CVSS Score  Priority CVSS Vector
XX-SER-SN 3170990 [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework 9.8 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SBO-CRO-SEC 3189409 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in in SAP Business One Cloud 9.8 HotNews CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CEC-COM-CPS-WEB 3171258 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Commerce 9.8 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
IS-T-MA 3189635 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Profitability Analytics 9.8 HotNews CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BC-CST-WDP 3145046 [CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in administration UI of SAP Webdispatcher and SAP Netweaver AS for ABAP and Java (ICM) 8.3 Correction with high priority CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
BI-BIP-INS 2998510 [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update 7.8 Correction with high priority CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BI-BIP-ADM 3137191 [CVE-2022-22541] Information Disclosure vulnerability in SAP BusinessObjects Platform 6.8 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
BC-ABA-LI 3165801 [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
PA-FIO-LEA 3164677 [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) 6.5 Correction with medium priority CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK