This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect their SAP landscape.
On 11th of January 2022, SAP Security Patch Day saw the release of 11 new Patch Day Security Notes. 16 security notes were released out-of-band. Further, there were 3 updates to Patch Day Security Notes released previously.
Note: 3131047 consolidates all Security Notes addressing recent vulnerabilities related to Apache Log4j 2 component. This security note is a living document that will be updated when a new Security Note is released. So, please refer the central Security Note for up-to-date information about all released Apache Log4j 2 related Security Notes.
List of security notes released on January Patch Day:
| Note# | Title | Priority | CVSS |
| 3131047 | [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component Consolidated Security Note list (Product: Security Note #) | Hot News | 10 |
| 3112928 | [CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA Additional CVE - CVE-2022-22530 Product - SAP S/4HANA, Versions - 100, 101, 102, 103, 104, 105, 106 | High | 8.7 |
| 3123196 | Update to Security Note released on December 2021 Patch Day: [CVE-2021-44235] Code Injection vulnerability in utility class for SAP NetWeaver AS ABAP Product - SAP NetWeaver AS ABAP, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 | High | 8.4 |
| 3101299 | [CVE-2021-42066] Information Disclosure vulnerability in SAP Business One Product - SAP Business One, Version - 10 | Medium | 6.6 |
| 3106528 | [CVE-2021-44234] Information Disclosure vulnerability in SAP Business One Product - SAP Business One, Version - 10 | Medium | 6.5 |
| 3124597 | [CVE-2022-22529] Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Threat Detection | Medium | 6.1 |
| 3112710 | [CVE-2021-42067] Information Disclosure vulnerability in SAP NetWeaver Application Server for ABAP and ABAP Platform Product - SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786 | Medium | 4.3 |
| 3121165 | Update to Security Note released on December 2021 Patch Day: [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer CVEs - CVE-2021-42068,CVE-2021-42070, CVE-2021-42069, CVE-2021-42069 Product - SAP 3D Visual Enterprise Viewer, Version - 9 | Medium | 4.3 |
| 3080816 | Update to Security Note released on December 2021 Patch Day: [CVE-2021-44233] Missing Authorization check in GRC Access Control Product - SAP GRC Access Control, Versions - V1100_700, V1100_731, V1200_750 | Low | 2.4 |
* Patch Day Security Notes are all notes that appear under the category of “Patch Day Notes” in SAP Support Portal
** Any Patch Day Security Note released after the second Tuesday, will be accounted for in the following SAP Security Patch Day.
Customers who would like to take a look at all Security Notes published or updated after December 14, 2021, go to Launchpad Expert Search → Filter 'SAP Security Notes' released between 'December 15, 2021 - January 11, 2022' → Go.
To know more about the security researchers and research companies who have contributed for security patches of this month, visit SAP Product Security Response Acknowledgement Page.
Do write to us at secure@sap.com with all your comments and feedback on this blog post.
2 Comments
Jan Goedtke
What about
3136034 - SAP HANA Cockpit aktualisieren, um Schwachstelle in Verbindung mit der Remote-Ausführung von Code im Zusammenhang mit Apache Log4j zu beheben - SAP ONE Support Launchpad
Tobias Harmes
Hi. Could you make this page a sub-page to "SAP Security Patch Day 2022" please?