SAP Security Patch Day 12/2022

(‘ZCL_SMARTERSEC‘)=>SEND_REGARDS( iv_title = ‘Frohe Weihnachten‘)

Tuesday 12/13/2022 – the last SAP Security Patch Day in 2022 is now already a few days ago, and as always, we report here on our experiences from the patch process for the HCM system. In total, 20 Security Notes have been provided to SAP customers since the November deadline – 9 of them in the range of CVSS 8 or higher.

In the first step, these fixes are filtered to the components and versions of our HCM system, after which 5 notes remained. Note 3249990 has as correction instructions to bring the SAPUI5 runtime environment up to date – we have already executed this during the last month. That leaves 4 notes for installation: so again, a reasonably manageable amount. First of all: all of them could be installed directly and without any problems after inspection.

I would like to mention 2 notes at this point. One is 3271091, which contains an unusual manual activity: the authorization role SAP_BPC_ADMIN exists without generated profiles – and in the context of this note the generation is made up for.

The other note 3268172 was rated by SAP with a CVSS score of 8.8 – this one makes the heart of all ABAP developers (or at least the author) beat faster. Packaged in an RFC-capable function module, we find here two so-called “Generic ABAP Module Calls”, which allow any static method or any method of a serializable class to be executed. From a technical point of view this is great coding – from a security point of view it is absolutely toxic. As a countermeasure, one could have imagined validation against a whitelist or additional authorization checks – but SAP has completely commented out the code – also good!

And that’s it for this month – we’ll continue in January 2023! Until then, we wish you a Merry Christmas!