SAP Security Notes - September 2022 - Safe O'Clock
Book a Demo Partner with us
Book a Demo Partner with us
Back To Resources

SAP Security Notes – September 2022

September 13, 2022

In September, SAP published 8 new Security Notes on its September Patch Day. 8 previously released Security Notes were updated.

Notes by severity

HotNews — 1

Correction with high priority — 6

Correction with medium priority — 9

Correction with low priority — 0

Highlights

Main note with CVSS Score 10 priority is another update of note 2622660 “Security updates for the browser control Google Chromium delivered with SAP Business Client”.

The most critical of the new notes for SAP Business One is 3223392. This note with CVSS score 7.8 closes the Unquoted Service Path vulnerability, exploiting which an attacker could gain SYSTEM privileges and affect Confidentiality, Integrity and Availability.

New Information Disclosure vulnerabilities were closed for SAP BusinessObjects with 2998510 Note CVSS score 7.7 and 2998510 Note CVSS score 7.8. Using these vulnerabilities, an attacker could read unencrypted sensitive information.

Note 3237075 with CVSS Score 7.1 closed a vulnerability in SAP GRC in Emergency Access Management. The vulnerability allows an authenticated attacker to gain access to a Firefighter session even after the session is closed in the Firefighter Logon Pad.

Note 3226411 has been updated for SAP SuccessFactors users with CVSS Score 8.1. Attachments have been included for the SF Mobile app. For more information and the ability to track the functionality, please refer to the note.

For note 3102769 describing the XSS vulnerability in the SAP Knowledge Warehouse, the workaround information has been moved to a separate note 3221696. If you have already implemented the note or have used information from the workaround, you could ignore this note.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
KM-KW-HTA 3102769 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse high 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
LOD-SF-EC 3226411 [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) high 8.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SBO-CRO-SEC 3223392 [CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One high 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BI-BIP-INS 2998510 [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update high 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BI-BIP-SRV 3217303 [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) high 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
GRC-SAC-EAM 3237075 [CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management high 7.1 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
BC-CCM-MON-OS 3159736 [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix medium 6.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
QM-QN 2634023 Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN medium 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EP-KM-FWK-CF 3219164 [CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-FES-WGU 3229820 [CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-FES-WGU 3218177 [CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BC-MID-RFC 3150454 Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform medium 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
BC-MID-ICF 3198137 Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform medium 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
BC-MID-ICF 3198137 Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform medium 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CA-WUI-UI-TAG 3126968 Information Disclosure vulnerability in SAP CRM WebClient medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
#sapsecurity #sapvulnerabilities #sapresearch
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – October 2023

On the 10th of October 2023, SAP Security Patch Day saw the release of 6 new Security Notes. There were […]

Read more
SAP Security Notes – September 2023

On the 12th of September 2023, SAP Security Patch Day saw the release of 13 new Security Notes. There were […]

Read more
SAP Security Notes – August 2023

On the 8th of August 2023, SAP Security Patch Day saw the release of 15 new Security Notes. There were […]

Read more
SAP News Overview for July 2023

SAP Advisory Group speaks AI ethics Last month, the regular meeting of the SAP Advisory Group on the Ethics of Artificial […]

Read more
See All Resources

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK