SAP Security Patch Day 08/2022

“August 2022 Patch Day”

The August Patch Day falls in the middle of a weather period with great heat and dryness – so it somehow fits into the picture that this one is comparatively meager with seven published notes. If you add the notes that have been updated since the last blog, you end up with a total of 11.

As in every month, we mainly want to secure our own SAP HCM system and – time permitting – also look a bit outside the box and discuss critical or conspicuous notes.

Part 1 of the task is quickly completed. None of the notes are relevant for our SAP system or can be inplemented by the Note Assistant (SNOTE) or describe other manual patch activities: either other platforms are affected or the component versions do not match our release.

Thus, the “edge of the plate” is quickly reached. So are there other interesting vulnerabilities or fixes?

The highest rated vulnerability or fix this month is note 3210823, which addresses an “Information Disclosure” in Business Objects.

However, I was directly “triggered” by another fix: 3216653 describes a patch on SAP Authenticator – an app I recently had to install myself (to access the Service Marketplace). Since the patch is purely for Android phones, I am not affected (this time) – but it shows: we need a patch strategy not only for the SAP backends but also for our endpoints – including the phones and tablets: for this note we have initiated appropriate actions for the team.

That’s it for this month – have a nice summer!