Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches High-Severity NetWeaver Vulnerabilities

SAP on Tuesday announced the release of ten new and two updated security notes as part of its June 2022 Security Patch Day.

Rated “Hot News” – the highest severity rating in SAP’s book – the most important of these notes is an update to an April 2018 note containing the updates delivered for the Chrome-based browser in SAP Business Client.

SAP on Tuesday announced the release of ten new and two updated security notes as part of its June 2022 Security Patch Day.

Rated “Hot News” – the highest severity rating in SAP’s book – the most important of these notes is an update to an April 2018 note containing the updates delivered for the Chrome-based browser in SAP Business Client.

Considered “high priority,” the most severe of the newly released notes deals with CVE-2022-27668 (CVSS score of 8.6), an improper access control related to the SAProuter proxy in NetWeaver and ABAP Platform.

“A permissive configuration of the route permission table may allow an unauthenticated attacker to bypass the protection to execute administration commands on the systems connected to the SAPRouter, compromising the availability of the systems,” business application security firm Onapsis explains.

While a workaround exists for this issue – involving route permission table hardening and removing the wildcards from type ‘P’ and ‘S’ entries – customers are advised to apply the available patch as soon as possible.

Onapsis also points out that SAP has also addressed an improper access control in NetWeaver AS Java, another high-severity flaw (CVSS score of 8.2) that can lead to system compromise. The security note for this bug was released after the second Tuesday of last month, along with four other notes.

On June 2022 Security Patch Day, SAP also released a note to address CVE-2022-31590 (CVSS score of 7.8), a privilege escalation issue in PowerDesigner Proxy 16.7.

All of the remaining new and updated security notes announced this week are “medium priority” or “low priority.”

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added to its Known Exploited Vulnerabilities catalog three security holes in SAP NetWeaver, namely CVE-2021-38163, CVE-2016-2386, and CVE-2016-2388.

Exploitation of these vulnerabilities was observed by Onapsis, but the company has not shared any information about the attacks.

Related: SAP Patches Spring4Shell Vulnerability in More Products

Related: SAP Releases Patches for Spring4Shell Vulnerability

Related: SAP Patches Critical Security Flaws in Monitoring Solutions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.