SAP Security Patch Day 09/2022

“September 2022 Patch Day”

If you look at the temperatures, autumn is not here yet, but the September Patch Day is – with 16 notes in the bag. We apply these to our internal HCM system in the usual way and report on the implementation. There are no particularly critical fixes this month, so in this round we want to report a bit more about our approach to applying them:

The note with the highest priority (CVSS value 6.7) is 2634023, which addresses missing authorization checks in an OData service. Put simply: new AUTHORITY-CHECKS are added. When evaluating whether such notes should or can be imported, questions such as the following arise:

  • Which authorizations are newly checked by this and are these contained in the user roles?
  • Are the program parts currently used and if so by which users?

In the case of note 2634023 on our HCM system, a technical analysis of the ABAP development objects can determine which OData service is affected – and whether it is active at all, meaning if it can be used. This is not the case and so the decision was clear: implement the note immediately.

The second note we want to talk about here is 3126968 . It fixes a “vulnerability with regard to disclosure of information in the SAP CRM WebClient”. Again, a look into the source code is helpful to decide if “implement it or not”.

You can see that a program logic that depends on a user parameter is removed from the standard source code. On the one hand, this is a non-recommended programming practice, on the other hand, we were able to ensure that the associated parameter was not currently set by any user – and therefore, the installation could not affect any user.

This completes the September Patch Day for our HCM system.
See you in four weeks and “Happy Patching!”