SAP Security Patch Day 03/2022 – What to fix in our HCM system?
While the February Security Patch Day included a lot of activities (SAP kernel and SAP web dispatcher update, upgrade of SAP Business Client, etc.), the list of security notes for March seems to be manageable for now: a total of 12 new and 4 updated notes. The three notes with the highest rating of CVSS = 10 address already familiar topics: updates to fixes for the log4j and ICMAD vulnerabilities.
As always, in this blog we want to look at this list through the lens of our own production SAP HCM system. After we already executed an update of the SAP kernel in February and there are no components in the system that use log4j, no further activities arise in the area of maximum criticality in March (note: we checked the note texts again anyway).
After downloading the security notes in transaction SNOTE, only one note turned out to be relevant and embeddable for our HCM system:
- 3149805 – [CVE-2022-26101] Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad
Fiori Launchpad affected
Although there have been several notes in the last months, which we have implemented – nevertheless, note 3149805 is something special: besides the high criticality (CVSS = 8.2), the affected component is actively in use in our system! Not very surprising, considering that the SAP Fiori Launchpad is the central entry point for Fiori-based applications.
Therefore, we analyzed the included correction instructions a bit more closely before installing them: the correct countermeasure for cross-site scripting (XSS, CSS) vulnerabilities is to generally include appropriate output encoding. This prevents attackers from crafting parts of your input in such a way that they are interpreted as part of the flow logic in subsequent program steps. Sources of error when correcting these vulnerabilities are, for example, that an incorrect encoding is chosen, or that input validation is implemented instead of encoding. Neither is the case here and the correction described in the note is a correct countermeasure.
Even more: such vulnerabilities, which are mitigated via output encoding, usually require no or only minimal functional retesting. The automatic installation was trouble-free and the Fiori launchpad as well as the applications run unaffected!
Due to the exposed, central position of the SAP Fiori Launchpad and the associated wide distribution, we strongly recommend applying note 3149805 in a timely manner.
That’s it for this month – we will report again on the SAP Security Patch Day from April in a month’s time.