SAP Security Patch Day 07/2022

“July 2022 Patch Day – Just do it!”

The number of published notes since the last Patch Day (including the July date this Tuesday): twenty-three.

23 – with this number Michael Jordan dominated the NBA.

So: with the motto “Just do it!” let’s get fresh to work!

After a first review of the note list, the Note Assistant (transaction SNOTE) confirms the first impression: this month, there are only few corrections that are relevant for our HCM system. The notes mainly address vulnerabilities in the SAP Enterprise Portal, SAP Business One and SAP Business Objects applications – all of which are not in productive usage at our company. 

For SAP HCM, three advisories are shown as “implementable”:

  • 3196280 Missing authorization check in EA-DFPS” introduces a missing authorization check in an Enterprise Extension / Business Function which is not in use at our company. Importing is possible without any problems in this case.
  • 3134161 Missing authorization check in SAP ERP HCM” sounds much more interesting since we focus explicitly on the HCM system in this blog! However, the missing authorization check concerns the payroll localization for Brazil, which is not an active country for our company.
    • Of course, this may be different for each customer. If Payroll for Brazil is actively used, an import will also require a reconciliation with the Roles and Authorizations team – after all, the fix will make new queries active in the system.
  • 3150454 Vulnerability related to information disclosure in SAP NetWeaver” addresses a technical vulnerability in the area of RFC connections and storage of configuration and user details. The note is a good example of why you should not blindly click “Implement Note”:
    • Note “3086625 Increase password length” is listed as a requirement. This again brings an implementable fix, but also requires the SAP kernel to be raised to a minimum level. This was already present in our case – so that both notes could be imported after this check.

That’s it for the July 2022 Patch Day – we will report again on the patching activities of our SAP HCM system in a month’s time.