- 298/2022
- Critical
SAP has released security updates to address several vulnerabilities affecting multiple products. In addition, SAP also announced (4) updates to the previously released patch day security notes.
This month’s patch fixes several vulnerabilities affecting multiple SAP products such as SAP BusinessObjects Business Intelligence Platform (Web intelligence) and (Program Objects), SAP NetWeaver Process Integration, SAP Commerce, SAP Commerce Webservices 2.0 (Swagger UI), SAP Disclosure Management, SAP NetWeaver AS for Java (HTTP Provider Service), SAP Solution Manager (Enterprise Search) and (Diagnostic Agent), SAP BASIS, SAPUI5 CLIENT RUNTIME, SAP NetWeaver Application Server ABAP and ABAP Platform, SAP Business Planning and Consolidation, SAP NetWeaver AS ABAP (Business Server Pages Test Application IT00), SAP Sourcing and SAP Contract Lifecycle Management.
The remote attacker could exploit some of these vulnerabilities to take control of the affected system.
Sample of the addressed vulnerabilities:
1. Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (CVE-2022-41267):
• CVSS: 9.9
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: Low
• User Interaction: None
• Consequences: Gain Access
2. Remote Code Execution vulnerability associated with Apache Commons Text in SAP Commerce (CVE-2022-42889):
• CVSS: 9.8
• Attack Vector: Network
• Attack Complexity: Low
• Privileges Required: None
• User Interaction: None
• Consequences: Gain Access
Vulnerabilities
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.
SAP Security Patch Day December 2022