- 261/2022
- High
SAP has released security updates to address several vulnerabilities affecting multiple products. In addition, SAP also announced (2) updates to the previously released patch day security notes.
This month’s patch fixes several vulnerabilities affecting multiple SAP products such as SAP BusinessObjects Business Intelligence Platform (Central Management Console and BI Launchpad), SAPUI5 CLIENT RUNTIME, SAP NetWeaver Application Server ABAP and ABAP Platform, SAP 3D Visual Enterprise Author/Viewer, SAP SQL Anywhere, SAP Financial Consolidation, SAP Biller Direct and SAP GUI for Windows. The remote attacker could exploit some of these vulnerabilities to take control of the affected system.
Sample of the addressed vulnerabilities:
- Insecure Deserialization of Untrusted Data in SAP BusinessObjects Business Intelligence Platform (CVE-2022-41203):
- CVSS: 9.9
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: Low
- User Interaction: None
- Consequences: Gain Access
- SQlite weak security bundled with SAPUI (CVE-2021-20223):
- CVSS: 9.8
- Attack Vector: Network
- Attack Complexity: Low
- Privileges Required: None
- User Interaction: None
- Consequences: Gain Access
Mitigations
The enterprise should deploy this patch as soon as the testing phase is completed.
SAP Security Patch Day November 2022