On the 8th of November 2022, SAP Security Patch Day saw the release of 9 new Patch Day Security Notes. Further, there were 2 updates to previously released Patch Day Security Notes.
Notes by severity
| HotNews | 3 |
| Correction with high priority | 3 |
| Correction with medium priority | 5 |
| Correction with low priority | 0 |
Highlights
The list of HotNews starts with a fix for the SAP Business Objects Intelligence Platform dedicated to Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform for Central Management Console and BI Launchpad number 3243924. The CVSS Score of 9.9 is significant. SAP Security specialists explain that malicious content can be implemented with only minimal privileges by an authenticated attacker, which fact reduces the Severity Score from the maximum possible. However, the confidentiality, integrity, and availability of the system could be seriously jeopardized by the vulnerability presented. Possible workaround instructions could also be helpful in certain scenarios.
The second highlighted with HotNews Security Note 3249990 with a CVSS Score of 9.8 refers to Multiple Vulnerabilities in SQlite bundled with SAPUI5. The more serious one was fixed in SQLite versions 3.34.0 and higher. For the users of SQLite, we recommend paying specific attention to this Note and updating SQLite to version 3.34.0 or higher, which will mitigate the first vulnerability in the bundle. An attacker with restricted access might take advantage of the fact that SQLite regarded NULL characters as tokens. All SAPUI5-based applications’ confidentiality, integrity, and availability could have been significantly impacted by this vulnerability.
Rated with high priority and CVSS Score of 8.7, the Security Note 3256571 Multiple vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform potentially could affect a large number of users and requires close attention. It indicates the vulnerability of the function group EPSF’s remote-enabled function modules. The two function modules may be called remotely with specially crafted parameters that would allow them to read or affect files because of insufficient input validation. However, a check for relative path information has been added to the patch of the Security Note.
Users of SAP Commerce could become interested in the update of the next Security Note 3239152 with a CVSS Score of 9.6. It was dedicated to Account hijacking through URL Redirection vulnerability in SAP Commerce login form, which was released during October’s Patch Day. However, the updates to this note are trivial and exclude one another, so you can follow the original recommendations of the Security Note published.
The files of the AutoCAD format are affected by the next listed vulnerability: Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer with a CVSS Score of 7.0. Security Note numbered 3263436 patches an Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer, so the appliance of the Note described will fix that issue.
And, for the last, Security Note 3226411 tagged with a CVSS Score of 8.1 which covers the Privilege escalation vulnerability in SAP Success Factors attachment API for Mobile Application (Android &iOS) provides a newly added secure solution for the Benefit Claims module. Note solutions are dedicated to the targeted product versions of 8.1.2 or higher.
Summary
| SAP Component | Number | Title | CVSS Score | Priority | CVSS Vector |
| BI-RA-WBI-FE | 3243924 | [CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad) | 9.9 | HotNews | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H |
| CA-UI5-VTK-VIT | 3249990 | [CVE-2021-20223] Multiple Vulnerabilities in SQlite bundled with SAPUI5 | 9.8 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H |
| CEC-COM-CPS | 3239152 | [CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form | 9.6 | HotNews | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H |
| BC-CTS-TMS | 3256571 | [CVE-2022-41214] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform | 8.7 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H |
| LOD-SF-EC | 3226411 | [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) | 8.1 | Correction with high priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N |
| CA-VE-VEA | 3263436 | [CVE-2022-41211] Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer | 7.0 | Correction with high priority | CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H |
| BC-SYB-SQA | 3229987 | [CVE-2022-41259] Denial of service (DOS) in SAP SQL Anywhere | 6.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H |
| EPM-BFC-TCL-ADM-SEC | 3260708 | [CVE-2022-41258] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation | 6.5 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L |
| FIN-FSCM-BD | 3238042 | [CVE-2022-41207] URL Redirection vulnerability in SAP Biller Direct | 6.1 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N |
| BC-FES-GUI | 3237251 | [CVE-2022-41205] Code injection vulnerability in SAP GUI for Windows | 5.5 | Correction with medium priority | CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H |
| BC-MID-ICF | 3251202 | [CVE-2022-41215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform | 4.7 | Correction with medium priority | CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N |
