Going forward SAP Security Patch Day blogs will be published here: dam.sap.com
This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 8th of February 2022, SAP Security Patch Day saw the release of 14 new Security Notes. 1 security note was released out-of-band. Further, there were 5 updates to previously released Patch Day Security Notes.
List of security notes released on February Patch Day:
[CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher
|3142773||[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce|
Related CVEs - CVE-2021-45046, CVE-2021-45105, CVE-2021-44832
Product - SAP Commerce, Versions - 1905, 2005, 2105, 2011
|3130920||Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Data Intelligence 3 (on-premise)|
Related CVEs - CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
Product - SAP Data Intelligence, Version - 3
|3139893||[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Dynamic Authorization Management|
Related CVEs - CVE-2021-44228, CVE-2021-45046
Product - SAP Dynamic Authorization Management, Version - 22.214.171.124, 2021.03
|3132922||Update to Security Note released in December 2021:|
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform
Related CVEs - CVE-2021-45105, CVE-2021-45046 , CVE-2021-44832
Product - Internet of Things Edge Platform, Version - 4.0
|3133772||Update to Security Note released in December 2021:|
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout
Related CVEs - CVE-2021-45046, CVE-2021-45105
Product - SAP Customer Checkout, Version - 2
|3131047||Update to Security Note released in December 2021:|
[CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component
|2622660||Update to Security Note released on April 2018 Patch Day:|
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5
|3140940||[CVE-2022-22544] Missing segregation of duties in SAP Solution Manager Diagnostics Root Cause Analysis Tools|
Product - SAP Solution Manager (Diagnostics Root Cause Analysis Tools), Version - 720
|3112928||Update to Security Note released on January 2022 Patch Day:|
[CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA
Additional CVE - CVE-2022-22530
Product - SAP S/4HANA, Versions - 100, 101, 102, 103, 104, 105, 106
[CVE-2022-22532] HTTP Request Smuggling in SAP NetWeaver Application Server Java
|3140587||[CVE-2022-22540] SQL Injection vulnerability in SAP NetWeaver AS ABAP (Workplace Server)|
Product - SAP NetWeaver AS ABAP (Workplace Server), Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787
[CVE-2022-22534] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver
[CVE-2022-22535] Missing Authorization check in SAP ERP HCM
[CVE-2022-22546] XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad)
[CVE-2022-22528] Information Disclosure in SAP Adaptive Server Enterprise
[CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer)
[CVE-2022-22545]Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
[CVE-2022-22543] Denial of service (DOS) in SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel)
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after January 11, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'January 12, 2021 - February 8, 2022' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.
For any questions/concerns/comments relating to content of the Patch Day Security Notes, please raise a ticket by using the SAP ONE Support Launchpad to get real-time support from an expert.
Do write to us at firstname.lastname@example.org with feedback on this blog post.