SAP’s security patch day for January 2022 has seen the release of 10 new OSS SAP security notes and 5 updates to existing notes. 1 note has been classified as low, 5 notes have been classified as medium, 2 as high, and 7 as critical, based on CVSS v3.0 Rating.
3 notes have been released for SAP Business One and 2 for SAP NetWeaver AS ABAP. Single notes have been released for SAP Enable Now Manager, SAP Enterprise Continuous Testing, SAP NetWeaver Process Integration, SAP Cloud-to-Cloud Interoperability, enabling ingestion and persistence of time series data in Azure, SAP Digital Manufacturing Cloud, SAP S/4HANA, SAP GRC Access Control and SAP Edge Services On Premise Edition.
Vulnerabilities: January 2022 Highlights
[CVE-2021-42067] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform (SAP Note 3112710)
An attacker authenticated as a regular user can use the S/4HANA dashboard to reveal systems and services which they would not normally be allowed to see. Â No information alteration or denial of service is possible.
[CVE-2022-22529] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection (SAP Note 3124597)
SAP Enterprise Threat Detection (ETD) does not sufficiently encode user-controlled inputs which may lead to an unauthorized attacker possibly exploit a XSS vulnerability.
[CVE-2021-44234] Information Disclosure vulnerability in SAP Business One (SAP Note 3106528)
SAP Business One extended log stores information that can be of a sensitive nature and give valuable guidance to an attacker or expose sensitive user information.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
