SAP’s security patch day for August 2022 has seen the release of 6 new OSS SAP security notes. 4 notes have been classified as medium and 2 notes have been classified as high based on CVSS v3.0 Rating.
6 notes have been released for SAP BusinessObjects Business Intelligence Platform. Single notes have been released for SAP Enable Now Manager, SAP Authenticator for Android and SAP SuccessFactors attachment API for Mobile Application.
Vulnerabilities: August 2022 Highlights
[CVE-2022-32245] Information disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (Open Document) (SAP Note 3210823)
SAP BusinessObjects Open Document allows an unauthenticated attacker to retrieve sensitive information plain text over the network. On successful exploitation, the attacker can view any data available for a business user and put a load on the application by an automated attack. Thus, completely compromising confidentiality but causing a limited impact on the availability of the application.
[CVE-2022-35293] Missing authorization check in SAP Enable Now Manager (SAP Note 3210566)
Due to insecure session management, SAP Enable Now allows an unauthenticated attacker to gain access to user’s account. On successful exploitation, an attacker can view or modify user data causing a limited impact on the confidentiality and integrity of the application.
[CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application (Android & iOS) (SAP Note 3226411)
Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow an attacker with user privileges to perform activities with admin privileges over the network. These APIs were consumed in the SF Mobile application for Time Off, Time Sheet, EC Workflow and Benefits. On successful exploitation, the attacker can read/write attachments. Thus, compromising the confidentiality and integrity of the application.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
