SAP’s security patch day for March 2022 has seen the release of 15 new OSS SAP security notes. 1 note has been classified as low, 10 notes have been classified as medium, 1 as high and 3 as critical, based on CVSS v3.0 Rating.
3 notes have been released for SAP Focused Run and 3 for SAP Enterprise Portal. Single notes have been released for SAP Webdispatcher, SAP Work Manager, SAP Fiori, SAP S/4HANA, SAP Financial Consolidation, SAP NetWeaver AS ABAP, SAP NetWeaver AS JAVA, SAP Business Objects and SAPCAR.
Vulnerabilities: March 2022 Highlights
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Work Manager (SAP Note 3154684)
SAP Work Manager uses a version of Apache Log4j that is vulnerable to command injection. This only affects on premise SMP installations, cloud installations aren’t affected. SAP have provided a workaround, but patching is recommended.
[CVE-2022-24396] Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0) (SAP Note 3145987)
The Simple Diagnostics Agent, used as part of SAP Focused Run, does not perform any authentication checks for functions that can be accessed locally. An attacker could use this to access or modify sensitive information and configurations.
[CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad (SAP Note 3149805)
If a user is tricked to click on a specially crafted link, created by an attacker, SAP Fiori launchpad allows an unauthenticated attacker to manipulate the Sap-theme URL parameter and inject HTML code. This is due to insufficient input sanitisation from the SAP Fiori Launchpad. No workaround is available and patching is the only way to resolve this.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
