SAP Security Patch Day: September 2022

SAP Security Notes Blog

High Priority Patches Released for SAP Business One, SAP BusinessObjects, and SAP GRC

Highlights of September SAP Security Notes analysis include:

  • September summary – 16 new and updated SAP security patches released, including one HotNews Notes and six High Priority Notes
  • Three new High Priority Notes released – SAP Business One, SAP BusinessObjects and SAP GRC affected
  • Good news for SAP SuccessFactors customers – Disabled attachment functionality in Mobile Application has resumed for three of the four affected modules

SAP has published 16 new and updated Security Notes on its September Patch Day (including the notes that were released or updated since last Patch Tuesday). This includes one HotNews Note and six High Priority Notes. 

SAP Business Client customers always have a good chance of encountering a HotNews Note. A new update of the periodically recurring SAP Security Note #2622660 was released by SAP at the end of August, prior to the September Patch Day. It patches 55 Chromium vulnerabilities, including one Critical and 28 High Priority patches. The maximum CVSS score of all fixed vulnerabilities is 8.8. Three of six High Priority Notes are released for the first time and cover different SAP applications so that this time, no single application can be highlighted.

The High Priority Notes in Detail

SAP Business One

Based on the CVSS score, SAP Security Note #3223392 is the most critical one of the three new High Priority Notes. It patches an Unquoted Service Path vulnerability in SAP Business One which is tagged with a CVSS score of 7.8.

An Unquoted Service Path vulnerability can be exploited to execute an arbitrary binary file when the vulnerable service starts, which could allow it to escalate privileges to SYSTEM.

Example:

Assuming, the correct path for a service executable is:

C:Program FilesERP Securitybinary filesexecutable filesservice-program.exe

If the execution path is provided without quotes, the system will interpret this path in the following order:

  • C:Program.exe
  • C:Program FilesERP.exe  
  • C:Program FilesERP Securitybinary.exe 
  • C:Program FilesERP Securitybinary filesexecutable.exe
  • C:Program FilesERP Securitybinary filesexecutable filesservice-program.exe

This means that if an attacker has write access to one of the involved sub directories, they can create a malicious file (Program.exe, ERP.exe, binary.exe, or executable.exe) that will be executed in place of the intended executable service-program.exe – in the context of the broad capabilities of a service user.

The issue is fixed with SAP Business One FP2202HF1.

SAP BusinessObjects

The second new High Priority Note, SAP Security Note #3217303, is tagged with a CVSS score of 7.7 and patches an Information Disclosure vulnerability in SAP BusinessObjects. Under certain conditions, the vulnerability allows an attacker to gain access to unencrypted sensitive information in the Central Management Console of SAP BusinessObjects Business Intelligence Platform.

The updated High Priority Note #2998510, tagged with a CVSS score of 7.8, patches an Information Disclosure vulnerability in SAP BusinessObjects. The update includes an extension of the note’s Solution section, clarifying the affected operating systems and other prerequisites.     

SAP GRC

SAP Security Note #3237075, tagged with a CVSS score of 7.1 is the third new High Priority Note and affects SAP GRC customers. The described vulnerability allows an authenticated attacker to access a Firefighter session even after it is closed in Firefighter Logon Pad. The note describes some additional requirements regarding the authorizations of the configured RFC user. It also points out that the provided correction instructions have no effect for SAP systems on SAP NetWeaver < 7.02. In this case, SAP suggests to upgrade the SAP Basis level before.

SAP SuccessFactors 

When looking at the updated High Priority Notes, there is good news for SAP SuccessFactors customers. SAP Security Note #3226411, tagged with a CVSS score of 8.1, was initially released at the end of July 2022. The corresponding patch stopped the ability to download, upload, or preview attachments in the vulnerable SAP SF Mobile Application modules: Time Off, Time Sheet, EC Workflow, and Benefit. The new update released today, enables the attachment functionality to resume for the first three of the four affected modules.

SAP Knowledge Warehouse

The remaining two updated High Priority Notes contain only minor textual or structural updates. SAP Security Note #3102769, tagged with a CVSS score of 8.8, contains a patch for a critical Cross-Site Scripting vulnerability in SAP Knowledge Warehouse. It also provides a workaround that describes the deactivation of the vulnerable displaying component. Since there exist two options to deactivate it, the description of the workaround was moved to its own SAP Note #3221696.

Summary and Conclusion

With 16 new and updated Security Notes, including the well-known SAP Business Client HotNews Note and three new High Priority Notes, this is another calm Patch Day for SAP customers. Starting today, we will attach a complete list of all released SAP Security Notes to provide the complete picture of the affected SAP applications.

SAP Note

Type

Description

Priority

CVSS

3223392

New

[CVE-2022-35292] Windows Unquoted Service Path issue in SAP Business One

SBO-CRO-SEC

High

7,8

3219164

New

[CVE-2022-35298] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Enterprise Portal (KMC)

EP-KM-FWK-CF

Medium 

6,1

3217303

New

[CVE-2022-39014] Information Disclosure vulnerability in SAP BusinessObjects Business Intelligence Platform (CMC)

BI-BIP-SRV

High

7,7

3159736

New

[CVE-2022-35295] Privilege Escalation Vulnerability in SAPOSCOL on Unix

BC-CCM-MON-OS

Medium

6,7

3198137

New

Update 1 to Security Note 3165333 – [CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform

BC-MID-ICF

Medium

4,7

3126968

New

Information Disclosure vulnerability in SAP CRM WebClient

CA-WUI-UI-TAG

Medium

4,3

2998510

Update

[CVE-2022-28214] Central Management Server Information Disclosure in Business Intelligence Update

BI-BIP-INS

High

7,8

3237075

New

[CVE-2022-39801] Insufficient Firefighter Session Expiration in SAP GRC Access Control Emergency Access Management

GRC-SAC-EAM

High

7,1

3229820

New

[CVE-2022-39799] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver AS ABAP (SAP GUI for HTML within the Fiori Launchpad)

BC-FES-WGU

Medium

6,1

3226411

Update

[CVE-2022-35291] Privilege escalation vulnerability in SAP SuccessFactors attachment API for Mobile Application (Android & iOS)

LOD-SF-EC

High

8,1

2634023

New

Missing authorization check in Consumption of CDS Views (or) OData Services in QM-QN

QM-QN

Medium

6,3

3218177

New

[CVE-2022-35294] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Application Server ABAP

BC-FES-WGU

Medium

5,4

3165333

Update

[CVE-2022-28215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform

BC-MID-ICF

Medium

4,7

3150454

Update

Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform

BC-MID-RFC

Medium

4,9

2622660

(New)

Security updates for the browser control Google Chromium delivered with SAP Business Client

BC-FES-BUS-DS

Hot News

(10,0)

3102769

Update

[CVE-2021-42063] Cross-Site Scripting (XSS) vulnerability in SAP Knowledge Warehouse

KM-KW-HTA

High

8,8

 

Onapsis Research Labs automatically updates The Onapsis Platform with the latest threat intelligence and security guidance so that our customers can stay ahead of ever-evolving threats and protect their businesses.

For more information about the latest SAP security issues and our continuous efforts to share knowledge with the security community, subscribe to our monthly Defender’s Digest Newsletter.