SAP Security Notes - May 2022 - Safe O'Clock

SAP Security Notes – May 2022

May 10, 2022

On 10th of May 2022, SAP released 8 new security notes and 4 updates to previously published Patch Day security notes. 

Notes by severity

HotNews — 4

Correction with high priority — 2

Correction with medium priority — 8

Correction with low priority — 0

Highlights

The first critical note is the update of the April note with CVSS Score 9.8 – 3170990 “Central Security Note for Remote Code Execution vulnerability associated with Spring Framework”. In the “Solution” section, new notes 3189409 have been added to the main list of notes, which fixes a vulnerability for SAP Business One Cloud, 3171258 for SAP Commerce and 3171258 for SAP Customer Profitability Analytics.

Note 3145046 with CVSS Score 8.3 fixed Cross-Site Scripting (XSS) vulnerability in administration UI for NW ABAP JAVA and SAP Webdispatcher. It is recommended to apply fixes or one of several Workaround Options that are presented in the note.

Critical Information Disclosure vulnerability for SAP BusinessObjects Central Management Server fixed in note 2998510 with CVSS Score 7.8. It closes the possible appearance of authentication credentials in Sysmon event logs during a system upgrade.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
XX-SER-SN 3170990 [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SBO-CRO-SEC 3189409 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in in SAP Business One Cloud HotNews 9.8 CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CEC-COM-CPS-WEB 3171258 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Commerce HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
IS-T-MA 3189635 [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Profitability Analytics HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
BC-CST-WDP 3145046 [CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in administration UI of SAP Webdispatcher and SAP Netweaver AS for ABAP and Java (ICM) high 8.3 CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
BI-BIP-INS 2998510 [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update high 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BI-BIP-ADM 3137191 [CVE-2022-22541] Information Disclosure vulnerability in SAP BusinessObjects Platform medium 6.8 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N
BC-ABA-LI 3165801 [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
PA-FIO-LEA 3164677 [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK