SAP Security Notes - November 2022 - Safe O'Clock

SAP Security Notes – November 2022

November 8, 2022

On the 8th of November 2022, SAP Security Patch Day saw the release of 9 new Patch Day Security Notes. Further, there were 2 updates to previously released Patch Day Security Notes.

Notes by severity

HotNews 3
Correction with high priority 3
Correction with medium priority 5
Correction with low priority 0

Highlights

The list of HotNews starts with a fix for the SAP Business Objects Intelligence Platform dedicated to Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform for Central Management Console and BI Launchpad number 3243924. The CVSS Score of 9.9 is significant. SAP Security specialists explain that malicious content can be implemented with only minimal privileges by an authenticated attacker, which fact reduces the Severity Score from the maximum possible. However, the confidentiality, integrity, and availability of the system could be seriously jeopardized by the vulnerability presented. Possible workaround instructions could also be helpful in certain scenarios.

The second highlighted with HotNews Security Note 3249990 with a CVSS Score of 9.8 refers to Multiple Vulnerabilities in SQlite bundled with SAPUI5. The more serious one was fixed in SQLite versions 3.34.0 and higher. For the users of SQLite, we recommend paying specific attention to this Note and updating SQLite to version 3.34.0 or higher, which will mitigate the first vulnerability in the bundle. An attacker with restricted access might take advantage of the fact that SQLite regarded NULL characters as tokens. All SAPUI5-based applications’ confidentiality, integrity, and availability could have been significantly impacted by this vulnerability.

Rated with high priority and CVSS Score of 8.7, the Security Note 3256571 Multiple vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform potentially could affect a large number of users and requires close attention. It indicates the vulnerability of the function group EPSF’s remote-enabled function modules. The two function modules may be called remotely with specially crafted parameters that would allow them to read or affect files because of insufficient input validation. However, a check for relative path information has been added to the patch of the Security Note.

Users of SAP Commerce could become interested in the update of the next Security Note 3239152 with a CVSS Score of 9.6. It was dedicated to Account hijacking through URL Redirection vulnerability in SAP Commerce login form, which was released during October’s Patch Day. However, the updates to this note are trivial and exclude one another, so you can follow the original recommendations of the Security Note published.

The files of the AutoCAD format are affected by the next listed vulnerability: Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer with a CVSS Score of 7.0. Security Note numbered 3263436 patches an Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer, so the appliance of the Note described will fix that issue.

And, for the last, Security Note 3226411 tagged with a CVSS Score of 8.1 which covers the Privilege escalation vulnerability in SAP Success Factors attachment API for Mobile Application (Android &iOS) provides a newly added secure solution for the Benefit Claims module. Note solutions are dedicated to the targeted product versions of 8.1.2 or higher.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BI-RA-WBI-FE 3243924 [CVE-2022-41203] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad) HotNews 9.9 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
CA-UI5-VTK-VIT 3249990 [CVE-2021-20223] Multiple Vulnerabilities in SQlite bundled with SAPUI5 HotNews 9.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CEC-COM-CPS 3239152 [CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form HotNews 9.6 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
BC-CTS-TMS 3256571 [CVE-2022-41214] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform high 8.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:N/I:H/A:H
LOD-SF-EC 3226411 [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) high 8.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
CA-VE-VEA 3263436 [CVE-2022-41211] Arbitrary Code Execution vulnerability in SAP 3D Visual Enterprise Author and SAP 3D Visual Enterprise Viewer high 7.0 CVSS:3.0/AV:L/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H
BC-SYB-SQA 3229987 [CVE-2022-41259] Denial of service (DOS) in SAP SQL Anywhere medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
EPM-BFC-TCL-ADM-SEC 3260708 [CVE-2022-41258] Multiple Cross-Site Scripting (XSS) vulnerabilities in SAP Financial Consolidation medium 6.5 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:L
FIN-FSCM-BD 3238042 [CVE-2022-41207] URL Redirection vulnerability in SAP Biller Direct medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-FES-GUI 3237251 [CVE-2022-41205] Code injection vulnerability in SAP GUI for Windows medium 5.5 CVSS:3.0/AV:L/AC:H/PR:L/UI:R/S:U/C:L/I:L/A:H
BC-MID-ICF 3251202 [CVE-2022-41215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform medium 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – February 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – January 2024

On the 9th of January 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP Security Notes – December 2023

On the 12th of December 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP Security Notes – November 2023

On the 14th of November 2023, SAP Security Patch Day saw the release of 3 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK