SAP Security Notes - September 2022 - Safe O'Clock

SAP Security Notes – September 2022

September 13, 2022

In September, SAP published 8 new Security Notes on its September Patch Day. 8 previously released Security Notes were updated.

Notes by severity

HotNews — 1

Correction with high priority — 6

Correction with medium priority — 9

Correction with low priority — 0

Highlights

Main note with CVSS Score 10 priority is another update of note 2622660 “Security updates for the browser control Google Chromium delivered with SAP Business Client”.

The most critical of the new notes for SAP Business One is 3223392. This note with CVSS score 7.8 closes the Unquoted Service Path vulnerability, exploiting which an attacker could gain SYSTEM privileges and affect Confidentiality, Integrity and Availability.

New Information Disclosure vulnerabilities were closed for SAP BusinessObjects with 2998510 Note CVSS score 7.7 and 2998510 Note CVSS score 7.8. Using these vulnerabilities, an attacker could read unencrypted sensitive information.

Note 3237075 with CVSS Score 7.1 closed a vulnerability in SAP GRC in Emergency Access Management. The vulnerability allows an authenticated attacker to gain access to a Firefighter session even after the session is closed in the Firefighter Logon Pad.

Note 3226411 has been updated for SAP SuccessFactors users with CVSS Score 8.1. Attachments have been included for the SF Mobile app. For more information and the ability to track the functionality, please refer to the note.

For note 3102769 describing the XSS vulnerability in the SAP Knowledge Warehouse, the workaround information has been moved to a separate note 3221696. If you have already implemented the note or have used information from the workaround, you could ignore this note.

Summary

SAP Component Number Title Priority CVSS Score  CVSS Vector
SBO-CRO-SEC 3223392 [CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One Correction with high priority 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
EP-KM-FWK-CF 3219164 [CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC) Correction with medium priority 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BI-BIP-SRV 3217303 [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) Correction with high priority 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
BC-CCM-MON-OS 3159736 [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix Correction with medium priority 6.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
BC-MID-ICF 3198137 Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform Correction with medium priority 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CA-WUI-UI-TAG 3126968 Information Disclosure vulnerability in SAP CRM WebClient Correction with medium priority 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
BI-BIP-INS 2998510 [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update Correction with high priority 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
GRC-SAC-EAM 3237075 [CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management Correction with high priority 7.1 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
BC-FES-WGU 3229820 [CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad) Correction with medium priority 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
LOD-SF-EC 3226411 [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) Correction with high priority 8.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
QM-QN 2634023 Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN Correction with medium priority 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
BC-FES-WGU 3218177 [CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP Correction with medium priority 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BC-MID-ICF 3198137 Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform Correction with medium priority 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
BC-MID-RFC 3150454 Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Correction with medium priority 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
KM-KW-HTA 3102769 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse Correction with high priority 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L

 

You Might Be Interested In

The latest news in the
sphere of SAP security

SAP News Overview for April 2023 – new SAP office in San Francisco, AMD is SAP customer and others

New SAP office in San Francisco SAP is constantly expanding to make its services available to more customers. The company […]

Read more
SAP Security Notes – May 2023

May 2023 On the 9th of May 2023, SAP Security Patch Day, 18 new Security Notes were released. There were […]

Read more
SAP Security Notes – April 2023

On the 11th of April 2023, SAP Security Patch Day saw the release of 19 new Security Notes. There were […]

Read more
SAP News Overview for March 2023 – Industry Cloud for healthcare, Axfood and others

SAP’s Industry Cloud helps healthcare In life sciences and healthcare, SAP is committed to helping its customers develop and advance […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK