Firma SAP publikuje aktualizacje bezpieczeństwa 02/2022

utworzone przez | lut 9, 2022 | Aktualizacje

W dniu 8 lutego firma SAP wydała aktualizacje bezpieczeństwa, która obejmuje 14 nowych poprawek w tym 9 jest krytycznych.

CERT PSE zachęca administratorów do zapoznania się z notami na SAP Security Patch Day i zastosowania niezbędnych aktualizacji.

Pełna lista poprawek:

Note#

 Title Priority

CVSS

3123396

 [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher                             
Product – SAP Web Dispatcher, Versions – 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87
Product – SAP Content Server, Version – 7.53
Product – SAP NetWeaver and ABAP Platform, Versions – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49

Hot News

10

3142773

 [CVE-2021-44228Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce
Related CVEs – CVE-2021-45046CVE-2021-45105CVE-2021-44832
Product – SAP Commerce, Versions – 1905, 2005, 2105, 2011

Hot News

10

3130920

 Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Data Intelligence 3 (on-premise)
Related CVEs – CVE-2021-44228CVE-2021-45046CVE-2021-45105
Product – SAP Data Intelligence, Version – 3

Hot News

10

3139893

 [CVE-2021-44228Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Dynamic Authorization Management
Related CVEs – CVE-2021-44228CVE-2021-45046
Product – SAP Dynamic Authorization Management, Version – 9.1.0.0, 2021.03

Hot News

10

3132922

 Update to Security Note released in December 2021:
[CVE-2021-44228Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform
Related CVEs –  CVE-2021-45105CVE-2021-45046 , CVE-2021-44832
Product – Internet of Things Edge Platform, Version – 4.0

Hot News

10

3133772

 Update to Security Note released in December 2021:
[CVE-2021-44228Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout
Related CVEs – CVE-2021-45046CVE-2021-45105
Product – SAP Customer Checkout, Version – 2

Hot News

10

3131047

 Update to Security Note released in December 2021:
[CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component

Hot News

10

2622660

 Update to Security Note released on April 2018 Patch Day:
Security updates for the browser control Google Chromium delivered with SAP Business Client
Product – SAP Business Client, Version – 6.5

Hot News

10

3140940

 [CVE-2022-22544Missing segregation of duties in SAP Solution Manager Diagnostics Root Cause Analysis Tools
Product – SAP Solution Manager (Diagnostics Root Cause Analysis Tools), Version – 720

Hot News

9.1

3112928

 Update to Security Note released on January 2022 Patch Day:
[CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA
Additional CVE – CVE-2022-22530
Product – SAP S/4HANA, Versions – 100, 101, 102, 103, 104, 105, 106

High

8.7

3123427

 [CVE-2022-22532HTTP Request Smuggling in SAP NetWeaver Application Server Java
Product – SAP NetWeaver Application Server Java, Versions – KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53

High

8.1

3140587

 [CVE-2022-22540SQL Injection vulnerability in SAP NetWeaver AS ABAP (Workplace Server)
Product – SAP NetWeaver AS ABAP (Workplace Server), Versions – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787

High

7.1

3124994

 [CVE-2022-22534Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver
Product – SAP NetWeaver (ABAP and Java application Servers), Versions – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756

Medium

4.7

3126489

 [CVE-2022-22535Missing Authorization check in SAP ERP HCM
Product –  SAP ERP HCM (Portugal), Versions – 600, 604, 608

Medium

6.5

3126748

 [CVE-2022-22546XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad)
Product – SAP Business Objects Web Intelligence (BI Launchpad) , Version – 420

Medium

5.4

3134684

 [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer
CVEs – CVE-2022-22537CVE-2022-22539CVE-2022-22538
Product – SAP 3D Visual Enterprise Viewer , Version – 9.0

Medium

4.3

3140564

 [CVE-2022-22528Information Disclosure in SAP Adaptive Server Enterprise
Product – SAP Adaptive Server Enterprise , Version – 16.0

Medium

5.6

3142092

 [CVE-2022-22542Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer)
Product – SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer)  , Versions – 104, 105, 106

Medium

6.5

3116223

 [CVE-2022-22543Denial of service (DOS) in SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel)
Product –  SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) , Versions – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49

Low

3.7