SAP’s security patch day for May 2022 has seen the release of 10 new OSS SAP security notes and 4 updates to existing notes. 2 notes have been classified as low, 11 notes have been classified medium, 3 as high and 4 as critical, based on CVSS v3.0 Rating.
5 notes have been released for SAP NetWeaver AS ABAP. 2 notes have been released for SAP Host Agent and SAP BusinessObjects. Single notes have been released for SAP Business One, SAP Commerce, SAP Customer Profitability Analytics, SAP Employee Self Service and a central note for Spring4Shell vulnerabilities.
Vulnerabilities: May 2022 Highlights
[CVE-2022-22965] Central Security Note for Remote Code Execution vulnerability associated with Spring Framework (SAP Note 3170990)
SAP continues to respond to the latest zero-day vulnerability in Spring. Spring is a highly-popular framework used by around 60% of JAVA developers. This vulnerability, known as Spring4Shell, allows an attacker to exploit Spring ability to map user requests to JAVA objects allowing for Remote Code Execution. This central note covers all SAP products affected by Spring4Shell.
[CVE-2022-27656] Cross-Site Scripting (XSS) vulnerability in administration UI of SAP Webdispatcher and SAP Netweaver AS for ABAP and Java (ICM) (SAP Note 3145046)
The Web administration UI of SAP Web Dispatcher and the Internet Communication Manager (ICM) do not encode user input sufficiently, leading to a Cross-Site Scripting vulnerability. This could allow an attacker to deploy a script or programme on the server leading to a compromise of confidentiality, integrity, and availability.
[CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update (SAP Note 2998510)
While BusinessObjects is being updated, Central Management Server (CMS) authentication credentials are being exposed in the event logs.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
