Headline
CVE-2022-22531: SAP Security Patch Day – January 2022 - Product Security Response at SAP
The F0743 Create Single Payment application of SAP S/4HANA - versions 100, 101, 102, 103, 104, 105, 106, does not check uploaded or downloaded files. This allows an attacker with basic user rights to run arbitrary script code, resulting in sensitive information being disclosed or modified.
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 11th of January 2022, SAP Security Patch Day saw the release of 11 new Patch Day Security Notes. 16 security notes were released out-of-band. Further, there were 3 updates to Patch Day Security Notes released previously.
Note: 3131047 consolidates all Security Notes addressing recent vulnerabilities related to Apache Log4j 2 component. This security note is a living document that will be updated when a new Security Note is released. So, please refer the central Security Note for up-to-date information about all released Apache Log4j 2 related Security Notes.
List of security notes released on January Patch Day:
Note#
Title
Priority
CVSS
3131047
[CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component
Consolidated Security Note list (Product: Security Note #)
SAP Customer Checkout: 3133772 SAP BTP Cloud Foundry: 3130578
SAP Landscape Management: 3132198
SAP Connected Health Platform 2.0 - Fhirserver: 3131824
SAP HANA XS Advanced Cockpit : 3134531 (includes fix provided in 3131397, 3132822)
SAP NetWeaver Process Integration (Java Web Service Adapter) : 3135581 (includes fix provided in 3132204, 3130521, 3133005)
SAP HANA XS Advanced : 3131258
Internet of Things Edge Platform : 3132922
SAP BTP Kyma : 3132744
SAP Enable Now Manager : 3132964
SAP Cloud for Customer (add-in for Lotus notes client) : 3132074
SAP Localization Hub, digital compliance service for India : 3132177
SAP Edge Services On Premise Edition : 3132909
SAP Edge Services Cloud Edition : 3132515
SAP BTP API Management (Tenant Cloning Tool) : 3132162
SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0) : 3131691
SAP Digital Manufacturing Cloud for Edge Computing : 3136094
SAP Enterprise Continuous Testing by Tricentis : 3134139
SAP Cloud-to-Cloud Interoperability : 3132058
Reference Template for enabling ingestion and persistence of time series data in Azure : 3136988
SAP Business One : 3131740
Hot News
10
3112928
[CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANAAdditional CVE - CVE-2022-22530Product - SAP S/4HANA, Versions - 100, 101, 102, 103, 104, 105, 106
High
8.7
3123196
Update to Security Note released on December 2021 Patch Day:
[CVE-2021-44235] **Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP
**Product - SAP NetWeaver AS ABAP, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
High
8.4
3101299
[CVE-2021-42066] **Information Disclosure vulnerability in SAP Business One
**Product - SAP Business One, Version - 10
Medium
6.6
3106528
[CVE-2021-44234] Information Disclosure vulnerability in SAP Business OneProduct - SAP Business One, Version - 10
Medium
6.5
3124597
[CVE-2022-22529] **Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection
**Product - SAP Enterprise Threat Detection, Version - 2.0
Medium
6.1
3112710
[CVE-2022-42067] **Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform
**Product - SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786
Medium
4.3
3121165
Update to Security Note released on December 2021 Patch Day:
[Multiple CVEs] **Improper Input Validation in SAP 3D Visual Enterprise Viewer
**CVEs - CVE-2021-42068,CVE-2021-42070, CVE-2021-42069, CVE-2021-42069
Product - SAP 3D Visual Enterprise Viewer, Version - 9
Medium
4.3
3080816
Update to Security Note released on December 2021 Patch Day:
[CVE-2021-44233] **Missing Authorization check in GRC Access Control
**Product - SAP GRC Access Control, Versions - V1100_700, V1100_731, V1200_750
Low
2.4
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after December 14, 2021, go to Launchpad Expert Search → Filter ‘SAP Security Notes’ released between ‘December 15, 2021 - January 11, 2022’ → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at [email protected] with all your comments and feedback on this blog post.
SAP Product Security Response Team