Skip links

SAP Security Patch Day – July 2022

Because the SAP threat landscape is always expanding, businesses of all sizes and sectors are in danger of cyberattacks. The following report offers information on the
most recent security flaws and threats.

Summary 

This month, the software provider released 23 SAP Security Notes; SAP BusinessObjects Business Intelligence Platform’s Information disclosure vulnerability is the most severe. It had a rating of 8.3.
At redrays.io, you can find more information about the vulnerabilities and existing measures to protect your SAP systems, and exploits for the most critical vulnerabilities are already available in the RedRays Security Platform’s database.

SAP Security Notes Overview

On the 12th of July 2022, SAP Security Patch Day released 20 new Security Notes. Further, there were 3 updates to previously released Patch Day Security Notes.
Four of the released SAP Security Notes are classified as High Priority. The vulnerabilities have a maximum CVSS score of 8.3.
This month’s two most frequent vulnerability categories are information disclosure and cross-site scripting vulnerabilities. Numerous vulnerabilities were discovered by our research and development team; two of them have been patched this month.

Two medium vulnerabilities discovered by RedRays researchers this month were patched.

The details of the SAP vulnerability discovered by RedRays researchers are listed below.

  • 3209557: A Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise PortalProduct-SAP NetWeaver Enterprise Portal (CVSS Base Score: 6.1), for Versions -7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50. An update is available in SAP Security Note 3209557. An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access all cookies, session tokens, and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to the user session and learn business-critical information. In some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.
  • 3208880: A Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise PortalProduct-SAP NetWeaver Enterprise Portal, Versions -7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50. An update is available in SAP Security Note 3208880. An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access all cookies, session tokens, and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to the user session and learn business-critical information. In some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.

More information about the most critical issues resolved by SAP Security Notes in July 2022 was discovered by other researchers.

The most serious security vulnerabilities in this version can be fixed by using the following SAP Security Notes:

  • 3221288 Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Central management console)Product-SAP BusinessObjects Business Intelligence Platform (Central management console),Versions 420, 430
  • 3212997 Information Disclosure vulnerability in SAP Business OneProduct-SAP Business One, Version 10.0
  • 3157613 Missing Authentication check in SAP Business One (License serviceAPI)Product-SAP Business One License serviceAPI, Version 10.0
  • 3191012 Code Injection vulnerability in SAP Business OneProduct-SAP Business One, Version 10.0
  • 3169239 Information Disclosure to user Administrator in SAP BusinessObjects Business Intelligence Platform 4.x Product-SAP BusinessObjects Business Intelligence Platform 4.x, Versions 420, 430

 

Installing all SAP Security Notes is what our team strongly advises to minimize the risk of being compromised.

Leave a comment