SAP Security Patch Day: October 2022 (2022)

Highlights of October SAP Security Notes analysis include:

  • October Summary - 23 new and updated SAP security patches released, including two HotNews Notes and six High Priority Notes
  • Two HotNews Notes with CVSS score close to 10 - CVSS 9.9 vulnerability in SAP Manufacturing Execution and CVSS 9.6 issue in SAP Commerce
  • Large To Do List for SAP BO Customers - SAP Business Objects affected by eight new and updated SAP Security Notes, including three High Priority Notes

SAP has published 23 new and updated Security Notes in its October Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes two HotNews Notes and six High Priority Notes.

SAP Manufacturing Execution HotNews Note

SAP Security Note #3242933, tagged with a CVSS score of 9.9, patches a very critical Path Traversal vulnerability in SAP Manufacturing Execution. The vulnerability affects two plugins:

  • Work Instruction Viewer (WI500)
  • Visual Test and Repair (MODEL_VIEWER)

These are used for displaying all types of work instructions and models.

(Video) SAP Security Patch Tuesday - March 2022

The URL to request this information included a file path parameter that could be manipulated to allow arbitrary traversal of directories on the remote server. The file content within each directory could be read in the user context of the OS user executing the NetWeaver process or service. The patch comes with a code correction that handles the path internally. It prevents the ability to be provided dynamically as a request parameter. The CVSS score of 9.9 is based on the fact that the impact on confidentiality, integrity, and availability can be high, depending on the kind of information that can be accessed during an attack.

As a temporary workaround, SAP recommends removing any sensitive information from the file systems that are accessible to the OS user, and restricting access to any unneeded file paths for this user.

Since the identification of sensitive information can be complex, the workaround can only minimize the risk. Affected customers should therefore apply the patch as soon as possible. However, restricting access to sensitive information is always recommended, independent of any existing vulnerability in the application.

SAP Commerce HotNews Note

The second HotNews Note is SAP Security Note #3239152, tagged with a CVSS score of 9.6. This note patches an Account Hijacking vulnerability in the SAP Commerce login page. The login page contains multiple URLs that are called when the login form is submitted. These URLs were not properly sanitized by SAP and they could be changed by manipulating the URL used to call the login form. Attackers were able to inject redirect information into the login page’s URLs, causing the login page to redirect sensitive information such as login credentials to an arbitrary server on the Internet. Attackers didn’t require any privileges to start an exploit but they did need a user to click the malicious link that opens the manipulated login form to execute the exploit. Bad actors can trick users to click this type of link by using phishing techniques to distribute the manipulated URL to legitimate SAP Commerce users.

SAP provides two workaround options: The first option recommends disabling the affected OAuth extension. This sounds like an easy solution but there is a warning included since many other SAP Commerce extensions, as well as integrations with other systems, may rely on the OAuth extension.

The second workaround option recommends to filter malicious HTTP requests via Website Redirect directives. The note lists two directives that cause SAP Commerce not to process manipulated requests and respond with an HTTP response status code 404 instead.

(Video) The Future of Access Governance for SAP Lessons Learned from SAPinsider GRC 2022

However, since there is no guarantee that the directives cover all possible situations, it is strongly recommended to apply the patch. The patch fixes this vulnerability by sanitizing URL paths and by outputting HTML encoded URLs into the affected OAuth login page.

SAP Business Object Vulnerabilities

SAP Business Objects (BO) is affected by eight new and updated SAP Security Notes, including three High Priority Notes.

The eight notes patch five Information Disclosure vulnerabilities and three Cross-Site Scripting vulnerabilities.

An analysis of the required support package patch levels shows that the following patch levels fix seven of these vulnerabilities:

  • SBOP BI PLATFORM SERVERS 4.2
    • SP009, PL001000
  • SBOP BI PLATFORM SERVERS 4.3
    • SP002, PL000700
    • SP003, PL000000

SAP Security Note #3167342 affects the SAP Data Services software component and is therefore not covered by the above summary patch info.

The three High Priority Notes for SAP BO patch Information Disclosure vulnerabilities.

(Video) Network Security News Summary for Wednesday October 12nd, 2022

SAP Security Note #3229132, tagged with a CVSS score of 8.2, patches an Information Disclosure vulnerability. The vulnerability allows attackers to gain credential information of other users. Attackers must be authenticated for an exploit to occur. Depending on whether they were authenticated as administrator, or normal user, they can see the credentials in plain text or in encrypted form. The encrypted information is returned as part of a query result that was performed on the CMS DB.

The second High Priority Information Disclosure vulnerability is patched with SAP Security Note #3239293, tagged with a CVSS score of 7.7. The note doesn’t describe many details about the vulnerability that affects the BOE Admin Tools/ BOE SDK component but unlike note #3229132, SAP sees no impact on the system’s integrity and availability.

SAP Security Note #3213507 was initially released on SAP’s August Patch Day and updated at the end of September. As described in our August blog post, there were some inconsistencies in the CVSS rating. Based on our notification, SAP has now revised the CVSS rating for this vulnerability completely and the formerly Medium Priority Note with CVSS score 5.2 has now become a High Priority Note with a CVSS score of 8.2.

Other High Priority Notes

In addition to the three High Priority Notes for SAP BO, there are two for SAP 3D Visual Enterprise and another one for SAP SQL Anywhere/SAP IQ.

SAP Security Note #3245928 and #3245929, both tagged with a CVSS score of 7.0, patch very similar vulnerabilities in SAP 3D Visual Enterprise Viewer and SAP 3D Visual Enterprise Author. An improper memory management could result in a victim opening manipulated files received from untrusted sources in SAP 3D Visual Enterprise Viewer/Author. Depending on the type of file manipulation, this could lead to arbitrary code execution or a denial of service. The two notes differ a little bit in the affected file formats. The Viewer vulnerability (#3245928) affects fewer file formats than the Author vulnerability (#3245929).

(Video) How to Assess Security Weaknesses and Risks Across Your SAP Application Ecosystem

The solution section of both notes lists the fixed file formats. This suggests that fixes for some formats are still pending, but when comparing this list to the list of previously affected formats, there seems to be no file format left unpatched.

High Priority Note #3232021, tagged with a CVSS score of 8.1, patches a Buffer Overflow vulnerability in SAP SQL Anywhere and SAP IQ database servers. Unauthenticated remote attackers could generate a stack-based buffer overflow, while the server was running, with a debugging option. An exploit could lead to unauthorized reading and modifying of data as well as negatively impact the system’s availability.

Summary and Conclusion

With 23 new and updated Security Notes, including two HotNews Notes and six High Priority Notes, this Patch Day comes with more to dos for SAP customers than the previous ones. It is important to get a complete overview of all patched vulnerabilities before starting implementation of individual patches. The example of the SAP Business Objects vulnerabilities shows that with only one patch, affected customers can patch seven issues at once.

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Newsletter.

SAP Note

Type

Description

Priority

CVSS

2495712

New

Missing authorization check in SAP Automotive Solutions

IS-A

Medium

6,5

3239293

New

[CVE-2022-39015] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform(AdminTools/ Query Builder)

BI-BIP-ADM

High

7,7

3229425

New

[CVE-2022-41206] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence platform / Analysis for OLAP

BI-RA-AWB

Medium

5,4

3229132

New

[CVE-2022-39013] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Program Objects)

BI-BIP-ADM

High

8,2

3211161

New

[CVE-2022-39800] Cross-Site Scripting (XSS) vulnerability in SAP BusinessObjects Business Intelligence Platform (BI LaunchPad)

BI-BIP-INV

Medium

6,1

3248970

New

[CVE-2022-41209] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya)

CEC-PRO-GIY

Medium

4,9

3248384

New

[CVE-2022-41210] Information Disclosure Vulnerability in SAP Customer Data Cloud (Gigya)

CEC-PRO-GIY

Medium

4,9

3245929

New

[Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Author

CA-VE-VEA

High

7,0

3245928

New

[Multiple CVEs] Multiple vulnerabilities in SAP 3D Visual Enterprise Viewer

CA-VE-VEV

High

7,0

3242933

New

[CVE-2022-39802] File path traversal vulnerability in SAP Manufacturing Execution

MFG-ME

HotNews

9,9

3202523

New

Cross-Site Scripting (XSS) vulnerability in SAP Commerce

CEC-COM-CPS

Medium

6,1

3049899

New

[CVE-2022-35297] Stored Cross-Site Scripting (XSS) vulnerability in SAP Enable Now

KM-SEN-MGR

Medium

6,5

3167342

New

[CVE-2022-35226] Cross-Site Scripting (XSS) vulnerability in Data Services Management Console

EIM-DS-SVR

Medium

4,8

3239152

New

[CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form

CEC-COM-CPS

HotNews

9,6

3234755

New

Information Disclosure vulnerability in Master Data Governance

CA-MDG-APP-CUS

Medium

4,3

3233226

New

[CVE-2022-35296] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Version Management System)

BI-BIP-LCM

Medium

6,8

3232021

New

[CVE-2022-35299] Buffer Overflow in SAP SQL Anywhere and SAP IQ

BC-SYB-SQA

High

8,1

3150454

Update

Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform

BC-MID-RFC

Medium

4,9

2726124

Update

Missing Authorization Check in multiple components under SAP Automotive Solutions

IS-A

Medium

6,3

2460948

Update

Missing Authorization Check in Vehicle Management System

IS-A-VMS

Medium

5,3

2634023

Update

Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN

QM-QN

Medium

6,3

3213524

Update

[CVE-2022-32244] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Commentary DB)

BI-BIP-CMC

Medium

6,0

3213507

Update

[CVE-2022-31596] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Monitoring DB)

BI-BIP-ADM

High

8,2

(Video) SAP HANA Cloud Operations

FAQs

What is SAP security Patch Day? ›

SAP Security Patches June 2022

In terms of security updates, this means establishing an effective process for emergency fixes, but also knowing when such an update has been released. In addition, we recommend taking other measures that limit the impact of a missing fix.

How to check SAP security Notes? ›

Access SAP Security Notes in the Launchpad, then select All Security Notes, to get the complete list of all SAP Security Notes. We recommend that you implement these corrections at a priority. Several tools are available to help identify, select and implement these corrections.

What is security Notes? ›

A secured note is a type of loan or corporate bond that is backed by the borrower's assets as a form of collateral. If a borrower defaults on a secured note, the assets pledged as collateral can be sold to repay the note.

What is SAP HotNews? ›

SAP HotNews (also called SAP HotNews Notes) are priority 1 (very high) SAP Notes which help to resolve and to prevent issues in SAP systems. They often contain security related content such as, documented security vulnerabilities in SAP products, and the procedure for fixing them.

Is security patch level important? ›

How important is the Android Security Patch Level? Basically, the Android Security Patch Level is just the last security patch your device got updated with. It is a pretty big deal to have the latest ones because bugs and issues appear on a daily basis, and you never know when one can harm your device.

Is security patch necessary? ›

If you've seen a message that says your Android security patch level is too low, you need to install an update to ensure that your device remains secure. A patch is released to maintain software to keep it running smoothly and up-to-date.

What are 3 security concepts? ›

Three basic security concepts important to information on the internet are confidentiality, integrity, and availability. Concepts relating to the people who use that information are authentication, authorization, and nonrepudiation.

What are types of security? ›

The four types of security are debt, equity, derivative, and hybrid securities. Holders of equity securities (e.g., shares) can benefit from capital gains by selling stocks.

What is a security answer? ›

Security Question & Answer means an answer used to verify the identity of a User when the User resets the User's Compliant Password. Sample 1.

What are the 3 layers in SAP? ›

SAP : Three-Tier Architecture

With SAP R/3, SAP ushers in a new generation of enterprise software — from mainframe computing (client-server architecture) to the three-tier architecture of database, application, and user interface.

What is SAP R1 R2 R3? ›

Their first commercial product was launched in the year 1973 and was based on the tier system like the one-tier system was called SAP R1 and the two-tier system was called SAP R2 and the three-tier system was called SAP R3. SAP is basically divided into three layers and they are as follows: 1. Presentation Layer.

What does SAP R3 stand for? ›

SAP R/3 Architecture. SAP R/3 is one of the main product of SAP,where R stands for RealTime and the number 3 relates to three tier application architecture(Data base,Application Server and Client). Most of the business in todays world runs on SAP R/3 system. About 80% of the companies implemented this software.

Is SAP security easy to learn? ›

with SAP security skills, you get exposure to all elements of business as each function involves SAP security configuration. It is also easy to learn and forms a good entry module for beginners.

How many Tcodes are there in SAP security? ›

In a standard SAP system there are over 140 000 possible transaction codes. Most companies typically use between 2000 – 3000 of these transaction codes.

Does SAP security has coding? ›

In simple words, SAP ABAP does require Coding knowledge for creating SAP applications.

What happens if you dont update security patch? ›

The main reason being that the lack of security updates leaves your phone vulnerable to malicious actors. Cybercriminals come up with new ways to bypass security measures in software to get hold of confidential data.

How quickly should security patches be applied? ›

A good rule of thumb is to apply patches 30 days from their release. 8. Before applying patches to your production system, you should test the patches out on a test environment.

Do security patches work? ›

Keeping security patches up to date allows you to: Reduce Exposure to Cyberattacks. In many instances, security patches are available before a hacker can exploit a system vulnerability. Protect Your Data. Hackers have the ability to use personal data from one system to gain access to a different one.

What are the risks of not patching? ›

Security vulnerabilities will be exploited

Some companies take a calculated risk in not patching, assuming that their firewalls or antivirus technology will catch major threats before they cause too much harm.

What are two important reasons to upgrade and patch? ›

5 reasons software updates are important
  • Patch security flaws. Security is the No. ...
  • Get new features. Installing updates may add new features and remove old ones that are no longer necessary. ...
  • Protect data. ...
  • Improve performance. ...
  • Ensure compatibility.
18 May 2022

What is monthly security patch? ›

To prevent major security exploits, Google fixes newly discovered vulnerabilities in Android by the way of monthly patches that are then released by various smartphone manufacturers for their smartphones through security updates.

What are the 5 basic principles of security? ›

The Principles of Security can be classified as follows:
  • Confidentiality: The degree of confidentiality determines the secrecy of the information. ...
  • Authentication: Authentication is the mechanism to identify the user or system or the entity. ...
  • Integrity: ...
  • Non-Repudiation: ...
  • Access control: ...
  • Availability:
5 Jun 2022

What are the 7 layers of security? ›

7 Layers of Security
  • Information Security Policies. These policies are the foundation of the security and well-being of our resources. ...
  • Physical Security. ...
  • Secure Networks and Systems. ...
  • Vulnerability Programs. ...
  • Strong Access Control Measures. ...
  • Protect and Backup Data. ...
  • Monitor and Test Your Systems.

What are the 3 A's in security? ›

Authentication, authorization, and accounting (AAA) is a term for a framework for intelligently controlling access to computer resources, enforcing policies, auditing usage, and providing the information necessary to bill for services.

What are the 4 levels of security? ›

The best way to keep thieves at bay is to break down security into four layers: deterrence, access control, detection and identification. To help you protect your property and prevent theft, here are four ways an electronic key control system can enforce all four of these security objectives.

What are the 6 types of security? ›

What are the 6 types of security infrastructure systems?
  • Access Controls. The act of restricting access to sensitive data or systems enables your enterprise to mitigate the potential risks associated with data exposure. ...
  • Application Security. ...
  • Behavioral Analytics. ...
  • Firewalls. ...
  • Virtual Private Networks. ...
  • Wireless Security.
22 Feb 2022

What are the 3 layers of security? ›

There are three layers of an effective security system: Perimeter Intrusion Detection. Home Exterior Intrusion Detection. Home Interior Intrusion Detection.

How do I answer security question? ›

For example, good security questions produce answers that are:
  1. Safe: Cannot be guessed or researched.
  2. Stable: Do not change over time.
  3. Memorable: Can be remembered easily.
  4. Simple: Are precise, simple, consistent.
  5. Many: Have many possible answers.
3 Jun 2019

What is the secret answer? ›

An answer that only the user knows for a specific question.

Why do I have to answer security questions? ›

Designed to keep our accounts safe from would-be hackers, the security questions should act as an extra line of defense.

What is meant by security patches? ›

A security patch is software that corrects errors in computer software code. Security patches are issued by software companies to address vulnerabilities discovered in the company's product. Vulnerabilities can be discovered by security researchers.

What is a security patching? ›

A security patch is essentially a method of updating systems, applications, or software by inserting code to fill in, or “patch,” the vulnerability. This helps secure the system against an attack.

How does a security patch work? ›

Well, every now and then, security researchers uncover new bugs and vulnerabilities in the Android operating system and submit a disclosure report to Google. Once the issue is identified, Google develops a patch and merges the updated code with the open-source Android project.

What are security patch updates? ›

An Android Security Update is an update that is primarily geared toward improving security and fixing bugs. These updates don't typically include features that you might notice in your daily use.

What happens if you dont update security patch? ›

The main reason being that the lack of security updates leaves your phone vulnerable to malicious actors. Cybercriminals come up with new ways to bypass security measures in software to get hold of confidential data.

How do I check my security patches? ›

Get security updates & Google Play system updates
  1. Open your device's Settings app.
  2. Tap Security.
  3. Check for an update: To check if a security update is available, tap Google Security checkup. To check if a Google Play system update is available, tap Google Play system update.
  4. Follow any steps on the screen.

What is the purpose of patching? ›

What is the Purpose of Patching? Patching is a process to repair a vulnerability or a flaw that is identified after the release of an application or a software. Newly released patches can fix a bug or a security flaw, can help to enhance applications with new features, fix security vulnerability.

What are the three rules for patching? ›

With that in mind, here are 10 rules of patching you must follow.
  • Be Informed. Everyone knows that patching is important. ...
  • Determine Whether to Patch. ...
  • Survey Your IT Surroundings & Standardize. ...
  • Prioritize Systems. ...
  • Build a Team & Define Processes. ...
  • Automate Via a Good Partner. ...
  • Deploy (or Not) ...
  • Test.
1 Feb 2005

What are the types of patching? ›

The three most common types of patches are security patches, bug fixes, and feature updates.

What are the 3 layers of security? ›

There are three layers of an effective security system: Perimeter Intrusion Detection. Home Exterior Intrusion Detection. Home Interior Intrusion Detection.

How long do security patches last? ›

This varies from company to company, however. Google's older Pixel phones typically got three years of software updates, but it upped that to five years of guaranteed updates with the latest Pixel 6 and 6 Pro. Google also mandates that manufacturers must provide at least two years of updates for devices.

What is the difference between a patch and an update? ›

Patches minimize your attack surface and protect your system against attackers. “While general software updates can include lots of different features, patches are updates that address specific vulnerabilities.”

How quickly should security patches be applied? ›

A good rule of thumb is to apply patches 30 days from their release. 8. Before applying patches to your production system, you should test the patches out on a test environment.

What is monthly security patch? ›

To prevent major security exploits, Google fixes newly discovered vulnerabilities in Android by the way of monthly patches that are then released by various smartphone manufacturers for their smartphones through security updates.

What are two important reasons to upgrade and patch? ›

5 reasons software updates are important
  • Patch security flaws. Security is the No. ...
  • Get new features. Installing updates may add new features and remove old ones that are no longer necessary. ...
  • Protect data. ...
  • Improve performance. ...
  • Ensure compatibility.
18 May 2022

What are the dangers of security patching? ›

Patch management pitfalls include pushing out updates too quickly and devices going offline. But the most significant risk when patch management doesn't take, not surprisingly, is leaving a system vulnerable to malicious actors.

Videos

1. Youtube LIVE - Q&A Session - RTP Delhi - 13th Oct
(Mukesh otwani)
2. A to Z of SAP OData Services Training - Sept 3, 2022 Batch
(ZAP Yard)
3. How a SAP security dashboard revolutionized risk analysis at Dürr IT Service GmbH
(SAST SOLUTIONS)
4. LIMS Demo Class 08 Oct 2022
(Company Connect Consultancy)
5. Webinar Future of integration with SAP BTP Integration Suite
(Int4)
6. SAP Community Call Connect with Expert – Live chat Integration Suite – Cloud Integration
(SAP Community)

Top Articles

Latest Posts

Article information

Author: Foster Heidenreich CPA

Last Updated: 12/18/2022

Views: 5331

Rating: 4.6 / 5 (76 voted)

Reviews: 83% of readers found this page helpful

Author information

Name: Foster Heidenreich CPA

Birthday: 1995-01-14

Address: 55021 Usha Garden, North Larisa, DE 19209

Phone: +6812240846623

Job: Corporate Healthcare Strategist

Hobby: Singing, Listening to music, Rafting, LARPing, Gardening, Quilting, Rappelling

Introduction: My name is Foster Heidenreich CPA, I am a delightful, quaint, glorious, quaint, faithful, enchanting, fine person who loves writing and wants to share my knowledge and understanding with you.