SAP’s security patch day for November 2022 has seen the release of 11 new and 3 updated OSS SAP security notes. 7 notes have been classified as medium, 3 notes have been classified as high and 4 as critical based on CVSS v3.0 Rating.
2 notes have been released for SAP Commerce and SAP NetWeaver ABAP. Single notes have been released for SAP Business Client, SAP Financial Consolidation, SAP SuccessFactors, SAP GUI, SAP Biller Direct, SAP SQL Anywhere, SAPUI5, SAP BusinessObjects, SAP 3D Visual Enterprise Viewer and Fiori Launchpad.
Vulnerabilities: November 2022 Highlights
[CVE-2022-39802] Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad) (SAP Note 3243924)
In SAP BI Platform an authenticated attacker with low privileges can intercept a serialized object and replace it with a malicious one. There is no de-serialization process so this can compromise Confidentiality, Integrity, and Availability of the system.
[CVE-2021-20223] Multiple Vulnerabilities in SQlite bundled with SAPUI5 (SAP Note 3249990)
In certain versions of SQlite, applications using SAPUI5 are using a tokenizer which is configured to treat null characters as tokens. This can be exploited by a user with low privilege to impact the CIA of the system. A separate vulnerability can be exploited to create an array-bounds overflow affecting the availability of applications.
[CVE-2022-41204] Account hijacking through URL Redirection vulnerability in SAP Commerce login form (SAP Note 3239152)
An attacker can change the content of an SAP Commerce login page to redirect users to their own server. This allows the attacker to steal credentials and hijack accounts.
[CVE-2022-41214] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform (SAP Note 3256571)
Due to insufficient input validation, SAP NetWeaver Application Server ABAP and ABAP Platform allows an attacker with high level privileges to use a remote enabled function to delete a file which is otherwise restricted.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
