The latest SAP Patch Day for September 2022 addresses vulnerabilities in multiple products, with the highest priority fixes going to SAP Business One (SAP B1), SAP BusinessObjects, and SAP GRC.
The SAP Product Security Response Team issues SAP Security Notes on the second Tuesday of every month to aid customers in implementing critical patches as soon as possible to safeguard their SAP landscapes. To ensure the ongoing safety of SAP’s clients and partners, the company collaborates with independent researchers and security IT experts like Onapsis to find and fix security vulnerabilities.
The month of September saw the release of 16 new and updated SAP security patches, including one HotNews Note and six High Priority Notes. Three of the newly released High Priority Notes were for SAP B1, SAP BusinessObjects, and SAP GRC respectively. Meanwhile, customers of SAP SuccessFactors will be pleased to learn that the previously disabled attachment feature in Mobile Application has been restored for three of the four modules that were impacted.
“With 16 new and updated Security Notes, including the well-known SAP Business Client HotNews Note and three new High Priority Notes, this is another calm Patch Day for SAP customers,” Onapsis Researcher Manager of Content and Technical Research Thomas Fritsch stated.
Customers of SAP Business Client have a high possibility of coming across a HotNews Note at any given time. By the end of August, prior to this month’s Patch Day, SAP published an updated version of the periodically recurrent SAP Security Note #2622660. This fixes 55 flaws in Chromium, including one that is considered critical and 28 that are considered high priority.
Additionally, the maximum possible Common Vulnerability Scoring System (CVSS) score for all vulnerabilities that have been patched is 8.8. As a result of the fact that three of the six High Priority Notes are being issued for the very first time and cover a variety of SAP applications, it is not possible to single out a single application at this time.
Emphasizing High Priority Notes for September SAP Patch Day
The SAP Security Note #3223392 was given the highest CVSS score out of the three new High Priority Notes, making it the most important of the three. It fixes a vulnerability in SAP B1 known as Unquoted Service Path, which had a CVSS score of 7.8 before this fix was applied.
When a compromised service is started, it is possible to exploit a vulnerability known as Unquoted Service Path to execute an arbitrary binary file. This could give the exploiter the ability to elevate their privileges to SYSTEM. The issue has been resolved with the release of SAP Business One FP2202HF1.
Furthermore, the second new High Priority Note addresses a risk in SAP BusinessObjects that could lead to sensitive data being leaked, and it has a CVSS score of 7.7. The vulnerability exists in the Central Management Console of the SAP BusinessObjects Business Intelligence Platform, and under some circumstances, an attacker can obtain access to sensitive information that is not encrypted.
In particular, SAP Security Note #2998510 was updated to fix an Information Disclosure vulnerability in SAP BusinessObjects. This upgrade was given a CVSS score of 7.8. This revision expands the Solution portion of the note to better explain the affected OSes and other requirements.
The third new High Priority Note is SAP Security Note #3237075, which impacts SAP GRC customers and has a CVSS score of 7.1. Due to the reported flaw, a malicious user might potentially reopen a previously closed Firefighter session in the Firefighter Logon Pad. The accompanying remark details further necessities concerning the authorized access of the configured RFC user.
In addition, it specifies that SAP systems running SAP NetWeaver 7.02 are not affected by the offered correction instructions. SAP recommends upgrading the SAP Basis version first.
Detailing More SAP Security Notes
The latest High Priority Notes contain some encouraging information for SAP SuccessFactors users. With a CVSS score of 8.1, SAP Security Note #3226411 became available at the end of July 2022. Due to the appropriate patch, the susceptible SAP SF Mobile Application modules (Time Off, Time Sheet, EC Workflow, and Benefit) no longer allow for the downloading, uploading, or previewing of attachments. The latest update for September’s SAP Patch Day restores attachment capability for three out of the four affected modules.
Two of the revised High Priority Notes have been updated as well, but only with minor changes to the text or overall structure. A critical Cross-Site Scripting flaw in SAP Knowledge Warehouse was fixed in SAP Security Note #3102769 (CVSS 8.8). Also included is a workaround that details how to disable the potentially dangerous display component. There are two different ways to turn it off, hence the solution was separated out into SAP Note #3221696.
