On 10th of May 2022, SAP released 8 new security notes and 4 updates to previously published Patch Day security notes.
Notes by severity
HotNews — 4
Correction with high priority — 2
Correction with medium priority — 8
Correction with low priority — 0
Highlights
The first critical note is the update of the April note with CVSS Score 9.8 – 3170990 “Central Security Note for Remote Code Execution vulnerability associated with Spring Framework”. In the “Solution” section, new notes 3189409 have been added to the main list of notes, which fixes a vulnerability for SAP Business One Cloud, 3171258 for SAP Commerce and 3171258 for SAP Customer Profitability Analytics.
Note 3145046 with CVSS Score 8.3 fixed Cross-Site Scripting (XSS) vulnerability in administration UI for NW ABAP JAVA and SAP Webdispatcher. It is recommended to apply fixes or one of several Workaround Options that are presented in the note.
Critical Information Disclosure vulnerability for SAP BusinessObjects Central Management Server fixed in note 2998510 with CVSS Score 7.8. It closes the possible appearance of authentication credentials in Sysmon event logs during a system upgrade.
Summary
| SAP Component | Number | Title | CVSS Score | Priority | CVSS Vector |
| XX-SER-SN | 3170990 | [CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework | 9.8 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| SBO-CRO-SEC | 3189409 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in in SAP Business One Cloud | 9.8 | HotNews | CVSS:/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CEC-COM-CPS-WEB | 3171258 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Commerce | 9.8 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| IS-T-MA | 3189635 | [CVE-2022-22965] Remote Code Execution vulnerability associated with Spring Framework used in SAP Customer Profitability Analytics | 9.8 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| BC-CST-WDP | 3145046 | [CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in administration UI of SAP Webdispatcher and SAP Netweaver AS for ABAP and Java (ICM) | 8.3 | Correction with high priority | CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H |
| BI-BIP-INS | 2998510 | [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update | 7.8 | Correction with high priority | CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H |
| BI-BIP-ADM | 3137191 | [CVE-2022-22541] Information Disclosure vulnerability in SAP BusinessObjects Platform | 6.8 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:N/A:N |
| BC-ABA-LI | 3165801 | [CVE-2022-29611] Missing Authorization check in SAP NetWeaver Application Server for ABAP and ABAP Platform | 6.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
| PA-FIO-LEA | 3164677 | [CVE-2022-29613] Information Disclosure vulnerability in SAP Employee Self Service(Fiori My Leave Request) | 6.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N |
