SAP Security Notes - September 2022 - Safe O'Clock

SAP Security Notes – September 2022

September 13, 2022

In September, SAP published 8 new Security Notes on its September Patch Day. 8 previously released Security Notes were updated.

Notes by severity

HotNews — 1

Correction with high priority — 6

Correction with medium priority — 9

Correction with low priority — 0

Highlights

Main note with CVSS Score 10 priority is another update of note 2622660 “Security updates for the browser control Google Chromium delivered with SAP Business Client”.

The most critical of the new notes for SAP Business One is 3223392. This note with CVSS score 7.8 closes the Unquoted Service Path vulnerability, exploiting which an attacker could gain SYSTEM privileges and affect Confidentiality, Integrity and Availability.

New Information Disclosure vulnerabilities were closed for SAP BusinessObjects with 2998510 Note CVSS score 7.7 and 2998510 Note CVSS score 7.8. Using these vulnerabilities, an attacker could read unencrypted sensitive information.

Note 3237075 with CVSS Score 7.1 closed a vulnerability in SAP GRC in Emergency Access Management. The vulnerability allows an authenticated attacker to gain access to a Firefighter session even after the session is closed in the Firefighter Logon Pad.

Note 3226411 has been updated for SAP SuccessFactors users with CVSS Score 8.1. Attachments have been included for the SF Mobile app. For more information and the ability to track the functionality, please refer to the note.

For note 3102769 describing the XSS vulnerability in the SAP Knowledge Warehouse, the workaround information has been moved to a separate note 3221696. If you have already implemented the note or have used information from the workaround, you could ignore this note.

Summary

SAP Component Number Description Priority CVSS CVSS Vector
BC-FES-BUS-DSK 2622660 Security updates for the browser control Google Chromium delivered with SAP Business Client HotNews 10 CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
KM-KW-HTA 3102769 [CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse high 8.8 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:L/A:L
LOD-SF-EC 3226411 [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) high 8.1 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SBO-CRO-SEC 3223392 [CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One high 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BI-BIP-INS 2998510 [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update high 7.8 CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
BI-BIP-SRV 3217303 [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) high 7.7 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
GRC-SAC-EAM 3237075 [CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management high 7.1 CVSS:3.0/AV:A/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H
BC-CCM-MON-OS 3159736 [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix medium 6.7 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:H/A:H
QM-QN 2634023 Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN medium 6.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
EP-KM-FWK-CF 3219164 [CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-FES-WGU 3229820 [CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad) medium 6.1 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
BC-FES-WGU 3218177 [CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP medium 5.4 CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:L/I:L/A:N
BC-MID-RFC 3150454 Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform medium 4.9 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
BC-MID-ICF 3198137 Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform medium 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
BC-MID-ICF 3198137 Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform medium 4.7 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:N/A:N
CA-WUI-UI-TAG 3126968 Information Disclosure vulnerability in SAP CRM WebClient medium 4.3 CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
You Might Be Interested In

The latest news in the
sphere of SAP security

SAP Security Notes – May 2024

On the 14th of May 2024, SAP Security Patch Day saw the release of 14 new Security Notes. There were […]

Read more
SAP Security Notes – April 2024

On the 9th of April 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more
SAP News Overview for March 2024

SAP and NVIDIA partnership Another SAP partnership has benefited from the use of artificial intelligence. SAP SE and NVIDIA announced […]

Read more
SAP Security Notes – March 2024

On the 13th of February 2024, SAP Security Patch Day saw the release of 10 new Security Notes. There were […]

Read more

Subscribe today to get more insights,
updates, and industry trends

Delivered to your inbox weekly.
No spam. We respect your privacy

    This website use cookies. Learn more
    OK