Product Security Response at SAP
Child pages
  • SAP Security Patch Day - February 2022
Skip to end of metadata
Go to start of metadata

Going forward SAP Security Patch Day blogs will be published here: dam.sap.com

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.

On 8th of February 2022, SAP Security Patch Day saw the release of 14 new Security Notes. 1 security note was released out-of-band. Further, there were 5 updates to previously released Patch Day Security Notes.

List of security notes released on February Patch Day:

Note#TitlePriorityCVSS
3123396

[CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher                             
Product SAP Web Dispatcher, Versions - 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87
Product - SAP Content Server, Version - 7.53
Product - SAP NetWeaver and ABAP Platform, Versions - KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49

Hot News10
3142773[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce
Related CVEs CVE-2021-45046CVE-2021-45105CVE-2021-44832
Product - SAP Commerce, Versions - 1905, 2005, 2105, 2011		Hot News10
3130920Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Data Intelligence 3 (on-premise)
Related CVEs - CVE-2021-44228CVE-2021-45046CVE-2021-45105
Product - SAP Data Intelligence, Version - 3
Hot News10
3139893[CVE-2021-44228Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Dynamic Authorization Management
Related CVEs - CVE-2021-44228CVE-2021-45046
Product - SAP Dynamic Authorization Management, Version - 9.1.0.0, 2021.03		Hot News10
3132922Update to Security Note released in December 2021:
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform
Related CVEs -  CVE-2021-45105CVE-2021-45046 , CVE-2021-44832
Product - Internet of Things Edge Platform, Version - 4.0
Hot News10
3133772Update to Security Note released in December 2021:
[CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout
Related CVEs - CVE-2021-45046CVE-2021-45105
Product - SAP Customer Checkout, Version - 2
Hot News10
3131047Update to Security Note released in December 2021:
[CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component		Hot News10
2622660Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5		Hot News10
3140940[CVE-2022-22544] Missing segregation of duties in SAP Solution Manager Diagnostics Root Cause Analysis Tools
Product SAP Solution Manager (Diagnostics Root Cause Analysis Tools), Version - 720		Hot News9.1
3112928Update to Security Note released on January 2022 Patch Day:
[CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA
Additional CVE CVE-2022-22530
Product SAP S/4HANA, Versions - 100, 101, 102, 103, 104, 105, 106		High8.7
3123427

[CVE-2022-22532] HTTP Request Smuggling in SAP NetWeaver Application Server Java
Additional CVE - CVE-2022-22533
Product - SAP NetWeaver Application Server Java, Versions - KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53

High8.1
3140587[CVE-2022-22540] SQL Injection vulnerability in SAP NetWeaver AS ABAP (Workplace Server)
Product SAP NetWeaver AS ABAP (Workplace Server), Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787		High7.1
3124994

[CVE-2022-22534] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver
Product SAP NetWeaver (ABAP and Java application Servers), Versions - 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756

Medium4.7
3126489

[CVE-2022-22535] Missing Authorization check in SAP ERP HCM
Product -  SAP ERP HCM (Portugal), Versions - 600, 604, 608

Medium6.5
3126748

[CVE-2022-22546] XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad)
Product SAP Business Objects Web Intelligence (BI Launchpad) , Version - 420

Medium5.4
3134684

[Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer
CVEs CVE-2022-22537CVE-2022-22539CVE-2022-22538
Product SAP 3D Visual Enterprise Viewer , Version - 9.0

Medium4.3
3140564

[CVE-2022-22528] Information Disclosure in SAP Adaptive Server Enterprise
Product SAP Adaptive Server Enterprise , Version - 16.0

Medium5.6
3142092

[CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer)
Product SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer)  , Versions - 104, 105, 106

Medium6.5
3128473

[CVE-2022-22545]Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform
Product - SAP NetWeaver Application Server ABAP and ABAP Platform, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756

Medium4.9
3116223

[CVE-2022-22543] Denial of service (DOS) in SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel)
Product  SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) , Versions - KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49

Low3.7


* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.


Customers who would like to take a look at all Security Notes published or updated after January 11, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'January 12, 2021 - February 8, 2022' → Go.

To know more about the security researchers and research companies who have contributed for security patches of this month, visit here.

For any questions/concerns/comments relating to content of the Patch Day Security Notes, please raise a ticket by using the SAP ONE Support Launchpad to get real-time support from an expert.
Do write to us at secure@sap.com with feedback on this blog post.

SAP Product Security Response Team


 




  • No labels

9 Comments

  1. Aditi Kulkarni

    Hi Ray, 

    We kindly request you to raise a ticket by using the SAP ONE Support Launchpad to get real-time support from an expert. 

    https://launchpad.support.sap.com/

    Thank you

  2. Johannes Goerlich

    Hello Aditi, 

    somehow I'm missing the SAP note 3147501 - SAP Cloud Connector - CVE-2021-42550 - logback

    Eventhough this is not about a vulnerability related to a SAP product, it seems that a flaw in SAP Cloud Connector can be used to exploit the vulnerability (CVE-2021-42550 CVSS 8.5) in logback <=1.2.7


    Best regards,

    Joe

  3. Marco Hammel

    yes, at least as an attacker vector for all active ICF services exposed via Web Dispatcher.

  4. Andrew Fernando

    Hello Colleagues.

    Unless I miss my guess, a Kernel upgrade/update (to 915 +) should get us past this issue. 

    Am I right? 

    Thank you.

    Andrew Fernando

  5. Ralf Wahlen

    @ Andrew, right so it is. Its a emergency change, that we startet with our hosting provider today. They considered this procedure to be an emergency procedure. 

  6. Mark Hallett

    If your Application Server sits behind a reverse proxy SAP Web Dispatcher then you just need to patch the Kernel on the Web Dispatcher to Kernel 227 (or above). If your Application Server sits behind a 3rd party gateway instead, then you need Kernel 915 (or above) for your Application Server. If that Application Server Kernel is not available then the dw_921-80002612.sar (or above) also contains the fix. SAP are updating the "Related info" on the dw_921-80002612.sar to state Note 3123396 as I advised them it wasn't listed.

    Hope that helps

    Mark Hallett

  7. Christian Braukmüller

    Hi Mark Hallett

    "If your Application Server sits behind a reverse proxy SAP Web Dispatcher then you just need to patch the Kernel on the Web Dispatcher to Kernel 227 (or above)."< Are you sure about that?

    Following the note, you can do this only for WebDIspatcher who are used for an ABAP stack,
    but you have to set a parameter: 
          wdisp/additional_conn_close=TRUE         (Note 3138881)

    For WebDispatchers in front of  JAVA stacks this causes issues, therefore this does not work.

    Christian
    ----
    My 5 cents from customer side: 
    The whole description of the issue, patch and workaround is pretty hard to handle
    and spreaded over multiple SAPNotes - that are constantly updated.
         

    1. Mark Hallett

      Hi Christian Braukmüller

      Yes you are correct the wdisp/additional_conn_close=TRUE (3138881) is a workaround if you cannot apply the Kernel patch to the Application Server for some reason, plus you are also sitting behind a SAP Web Dispatcher.

      Too many Notes (wink)

      Mark Hallett



    2. Johannes Goerlich

      my conclusion for this can be found at https://blogs.sap.com/2022/02/11/remediation-of-cve-2022-22536-request-smuggling-and-request-concatenation-in-sap-netweaver-sap-content-server-and-sap-web-dispatcher