SAP’s security patch day for September 2022 has seen the release of 9 new and 7 updated OSS SAP security notes. 9 notes have been classified as medium, 6 notes have been classified as high and 1 as critical based on CVSS v3.0 Rating.
6 notes have been released for SAP NetWeaver AS ABAP and 2 for SAP BusinessObjects. Single notes have been released for SAP Business Client, Quality Notifications, SAP Knowledge Warehouse, SAP Customer Relationship Management, SAP for Unix, SAP NetWeaver Enterprise Portal, SAP Business One, SAP SuccessFactors and SAP GRC.
Vulnerabilities: September 2022 Highlights
[CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application (Android & iOS) (SAP Note 3226411)
Due to misconfigured application endpoints, SAP SuccessFactors attachment APIs allow an attacker with user privileges to perform activities with admin privileges over the network. Successfully using this exploit allows the attacker to read and write attachments, compromising the confidentiality and integrity of the application.
[CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One (SAP Note 3223392)
In SAP Business One application when a service is created, the executable path contains spaces and isn’t enclosed within quotes, leading to a vulnerability known as Unquoted Service Path which allows a user to gain SYSTEM privileges. If the service is exploited by adversaries, it can be used to gain privileged permissions on a system or network leading to high impact on Confidentiality, Integrity and Availability.
[CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC) (SAP Note 3226411)
Under certain conditions Central Management Console (CMC) allows an attacker to access certain unencrypted sensitive parameters which would otherwise be restricted.
About this review
On the second Tuesday of each month, SAP release security updates to their software products. At Absoft, we analyse all of the released security updates and produce this security review, including sending bespoke recommendations for each of our managed service customers.
There is more information on how we handle SAP security updates, including information on SAP’s process, the CVE process and the CVSS base scores in our earlier article on addressing security vulnerabilities in SAP software.
