SAP Security Patch Day 02/2022

Posted by Alexander Zellner at 11. February 2022
SAP Security Patch Day

SAP Security Patch Day 02/2022 – there is something in it for everyone!

The SAP Security Patch Day of February 2022 was once again quite extensive: with 7 notices with the highest risk rating (CVSS score=10). In addition, other critically rated fixes (with CVSS score 9.1 or 8.7) can be found on the list published on Tuesday.1

As always, we want to report in this blog how we apply the SAP Security Notes to our own production SAP HCM system. By uploading with the transaction SNOTE, we automatically check if importable fixes are included. Especially for very high priority notes, we additionally examine the note manually to check if further activities are necessary.

SAP kernel patch necessary

This is also the case with the first note (3123396), which addresses the vulnerability with the official number CVE-2022-225362   and a rating of CVSS=10. The SAP ICM is vulnerable to so-called request smuggling if unpatched – this vulnerability has been christened “ICMAD”. Authorities such as the US DHS CISA3 or SAP4 themselves also point out the particular criticality of this vulnerability.

However, the correction is not made via adjustments in the ABAP source code, but via an update to the SAP kernel and the SAP Web Dispatcher. We were able to schedule and implement a corresponding exchange of the kernel files directly for Tuesday evening together with our SAP Basis team.

SAP Business Client

Note 2622660 is updated monthly and describes which patches have been deployed for the SAP Business Client and the Chromium PlugIn it contains. The specific risk assessment depends on the release used and the patch level applied to date and varies accordingly – but in some cases it does reach the maximum value of CVSS=10. 

As a countermeasure, the SAP Business Client must be regularly updated to the latest available patch level. Consequence: after downloading from the SAP Support Portal, we directly started the rollout for our employees’ workstation environments.

Log4j is not over yet

Even in February, the largest share (5 notes) of SAP Security Notes is still determined by the log4j vulnerability5. It is worth mentioning that 3131047 is a collective note that has been updated again this month: in addition to the 23 notes already published in January, another 18 new ones have been added in February. Again, security notes with this criticality should be manually reviewed and read again – even if they are not possible to import according to transaction SNOTE. With the focus on our HCM system, however, there was no further activity.

Implemented Notes  

Three security notes were assessed as “automatically importable” in transaction SNOTE:

  • 3140587 SQL Injection vulnerability in SAP NetWeaver 
  • 3124994 Cross-Site Scripting (XSS) vulnerability 
  • 3126489 Missing Authorization check in SAP ERP HCM Product 

After reviewing the fixes, it was decided that they could be applied directly to the system, as the countermeasures used (appropriate encoding, additional authorization check) did not indicate any functional risk. The import via SNOTE was carried out without any problems and without any further manual activities.

That’s it for this month – we will report on the March SAP Security Patch Day here again in four weeks.