Please help to click 1!

Wednesday 9 February 2022

SAP Releases Security February 2022 Security Updates, Includes Critical Vulnerabilities

 

Summary

SAP released its February 2022 Security Updates addressing vulnerabilities in multiple products, including Content Server, NetWeaver, Business Client, S/4HANA, and Solution Manager. In total, there are 19 security patches, five of which update previous vulnerabilities. CVSS scores ranged from 3.7 to 10.0.

 

The following vulnerabilities are critical and new to this monthly update:

  • CVE-2022-22536 (CVSS 10): a request smuggling and request concatenation vulnerability in NetWeaver, Content Server, and Web dispatcher
  • CVE-2021-44228 (CVSS 10): a remote code execution (RCE) vulnerability in SAP Commerce associated with an Apache Log4j component
  • CVE-2022-22544 (CVSS 9.1): a missing segregation of duties vulnerability in SAP Solution Manager Diagnostics Root Cause Analysis Tools

Fixes for the following additional high-severity vulnerabilities are included in this month’s release:

  • CVE-2022-22532 (CVSS 8.1) - SAP NetWeaver Application Server Java
  • CVE-2022-22540 (CVSS 7.1) - SAP NetWeaver AS ABAP (Workplace Server)

Analysis

Affected Versions

These vulnerabilities affect versions of the following SAP products:

  • SAP Web Dispatcher
  • SAP NetWeaver
  • SAP Commerce
  • SAP Data Intelligence
  • SAP Solution Manager
  • SAP Business Objects Web Intelligence
  • SAP Adaptive Server Enterprise
  • SAP S/4HANA

Please refer to the SAP advisory page for further details.

 

Potential Impact

Successful exploitation of these vulnerabilities could allow attackers to gain access to affected systems, allowing for theft of sensitive data, financial fraud, elevation of privileges, denial-of-service (DoS) conditions, cross-site scripting, data exfiltration, remote code execution, and halt of all operations.

 

Recommendations

SAP has released software updates which address these vulnerabilities.

 

Recommends clients apply software updates as soon as possible after appropriate evaluation and testing have been completed.

References

https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)