SAP Security Patch Day 11/2022

“November 2022 Patch Day”

Last Tuesday, November 08th, 2022 was the SAP Security Patch Day for this month – a total of 14 notes are available for SAP customers to apply. Of course, not all notes are relevant, depending on the products, components and versions of the SAP system used. As always, we report on the patching of our productive SAP HCM line here with the “HCM glasses on”.

After downloading, four notes are displayed as installable. It is striking that all four concern very central building blocks of the SAP system, e.g. the UI5 framework or the file handling in the Transport Management System TMS. These are actually parts that should already be “well-hung” – nevertheless, the security researchers were successful. The following notes have been implemented in our system in the meantime:

  • 3249990: [CVE-2021-20223] Multiple Vulnerabilities in SQlite bundled with SAPUI5 (CVSS 9.8)

With CVSS 9.8, this fix has a very high risk and should therefore be applied promptly. However, these are not classical ABAP program corrections, but a patch of the SAP UI5 component, i.e. the import cannot be done in transaction SNOTE. The last time this was necessary was on Security Patch Day in April 2022. The SAP UI5 framework itself incorporates other libraries, such as SQlite, which are brought up to date as part of this patch.

  • 3256571 [CVE-2022-41214] Multiple vulnerabilities in SAP NetWeaver Application Server ABAP and ABAP Platform (CVSS 8.7)

This note is also in the critical area with CVSS 8.7. It corrects a directory traversal vulnerability that allows attackers to access files outside the originally intended path. As part of the fix, proper validation of file paths is introduced. Since this leaves “regular” calls unaffected and only filters out the malicious ones, it was decided to apply the note directly.

  • 3218159 Insufficient Session Expiration in Central Fiori Launchpad (CVSS 6.1)

This fix corrects an erroneous behavior in session management that causes some sessions to be kept longer than necessary. Again, no negative impact is expected and the note was applied directly in transaction SNOTE.

  • 3251202 [CVE-2022-41215] URL Redirection vulnerability in SAP NetWeaver ABAP Server and ABAP Platform (CVSS 4.7)

With the two classes CL_HTTP_WHITELIST and CL_HTTP_UTIILITY two central and well-known classes to ABAP developers are part of this fix.

Finally, let’s put on the “HCM glasses” again: although we don’t use SuccessFactors ourselves – many of our customers do and then the note 3226411 could be interesting: it is critical with a CVSS score of 8.1 and closes a vulnerability with which attackers can bypass authorization checks in mobile scenarios (iOS and Android end devices).

This is it again at this point. The next Patch Day in December will conclude the patching activities for the year 2022 and, in addition to a look at the current notes, we will also take a look back at the year.