SAP Security Patch Day 04/2022

“April April – it does what it wants”
(German saying) 

That’s what you might think when you look at this month’s list of Security Notes, which is over 30 entries strong. Once again, we are reporting here from the field: What activities were carried out in our own productive SAP HCM system?

Updates to Security Notes from previous months

Once again, the “Hot Topics” of the previous months have been covered with further updates in the corresponding Security Notes. For example, there is an update to Note 3123396 for the “ICMAD” vulnerability – we have already had the necessary kernel patch applied by our SAP-Basis colleagues.

We have also updated the collective note on the SAP Business Client and the Chromium plugin used in it. We already reported on the need to update the SAP Business Client in February.

We checked the contents of the notes again, especially for the high-priority updates, but no further activities were necessary.

Deployable corrections

Only two corrections were installable for our HCM system this month: 3128473 and 3165333 – the later required a little manual preparatory work and could then be installed without any problems.

The interesting thing about 3128473 was that it creates a possible syntax error (depending on the support package) in the system and therefore references another note 3189594. However, both could be applied automatically, and the affected transaction still works.

Update of the UI5 library

Finally, we have to address note 3126557, which addresses a so-called Cross Site Scripting in a standard UI5 library – with a CVSS of 6.1 a fix with “elevated” priority. The necessary actions are described as “Install the latest SAPUI5 patch – see referenced SAP Note 3155948”.

Since this is not foreseen from the Transaction Note Assistant (SNOTE) on the one hand, and on the other hand not possible in our running operations on an ad-hoc basis, we have scheduled the application of the patch for the next possible time window.

This concludes our blog on the patch activities in April, which provided a large number of notes overall – but ultimately required only quite little action for our productive system.