Patchday: SAP fixes eight newly discovered security issues

For the May patch day of this year, SAP closes security gaps that affect eight products. In addition, the company has updated four other reports on already patched security leaks.

SAP classifies three of the newly reported vulnerabilities as critical, described in corporate slang by the term “hot news”. They are all related to the Spring framework and allow attackers to inject and execute malicious code (CVE-2022-22965, CVSS 9.8risk “critical“). Affected by this SAP Business One Cloud 1.1, SAP Commerce 1905, 2005, 2105 such as 2011 and SAP Customer Profitability Analytics 2.

The developers classify two other vulnerabilities as high risk: A cross-site scripting vulnerability in SAP web dispatcher and SAP Netweaver AS for ABAP and Java (ICM) (CVE-2022-27656, CVSS 8.3, high) and possible information leaks in the Central Management Server of SAP BusinessObjects Business Intelligence Platform (CVE-2022-28214, CVSS 7.8, high).

SAP has medium-severity vulnerabilities in SAP NetWeaver Application Server for ABAP and ABAP platforms, SAP Employee Self Service (Fiori My Leave Request) and SAP Host Agent tracked down and fixed. The updated security advisories affect the centralized summary of the Spring Framework Critical and Medium Risk vulnerabilities in SAP BusinessObjects Business Intelligence Platform and SAP NetWeaver.

The overview of each SAP has safety reports presented again as an updated PDF file. Administrators should quickly schedule a maintenance window to install the available updates to minimize the attack surface for potential attackers.


To home page

Leave a Comment