SAP on Tuesday announced the release of ten new and two updated security notes as part of its June 2022 Security Patch Day.
Rated “Hot News” – the highest severity rating in SAP’s book – the most important of these notes is an update to an April 2018 note containing the updates delivered for the Chrome-based browser in SAP Business Client.
Considered “high priority,” the most severe of the newly released notes deals with CVE-2022-27668 (CVSS score of 8.6), an improper access control related to the SAProuter proxy in NetWeaver and ABAP Platform.
“A permissive configuration of the route permission table may allow an unauthenticated attacker to bypass the protection to execute administration commands on the systems connected to the SAPRouter, compromising the availability of the systems,” business application security firm Onapsis explains.
While a workaround exists for this issue – involving route permission table hardening and removing the wildcards from type ‘P’ and ‘S’ entries – customers are advised to apply the available patch as soon as possible.
Onapsis also points out that SAP has also addressed an improper access control in NetWeaver AS Java, another high-severity flaw (CVSS score of 8.2) that can lead to system compromise. The security note for this bug was released after the second Tuesday of last month, along with four other notes.
On June 2022 Security Patch Day, SAP also released a note to address CVE-2022-31590 (CVSS score of 7.8), a privilege escalation issue in PowerDesigner Proxy 16.7.
All of the remaining new and updated security notes announced this week are “medium priority” or “low priority.”
Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added to its Known Exploited Vulnerabilities catalog three security holes in SAP NetWeaver, namely CVE-2021-38163, CVE-2016-2386, and CVE-2016-2388.
Exploitation of these vulnerabilities was observed by Onapsis, but the company has not shared any information about the attacks.
Related: SAP Patches Spring4Shell Vulnerability in More Products
Related: SAP Releases Patches for Spring4Shell Vulnerability
Related: SAP Patches Critical Security Flaws in Monitoring Solutions
More from Ionut Arghire
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- CISA, NSA Issue Guidance for IAM Administrators
- Cisco Patches High-Severity Vulnerabilities in IOS Software
- ‘Nexus’ Android Trojan Targets 450 Financial Applications
- ‘Badsecrets’ Open Source Tool Detects Secrets in Many Web Frameworks
- Chrome 111 Update Patches High-Severity Vulnerabilities
Latest News
- US Charges 20-Year-Old Head of Hacker Site BreachForums
- Tesla Hacked Twice at Pwn2Own Exploit Contest
- CISA Ships ‘Untitled Goose Tool’ to Hunt for Microsoft Azure Cloud Infections
- Critical WooCommerce Payments Vulnerability Leads to Site Takeover
- PoC Exploit Published for Just-Patched Veeam Data Backup Solution Flaw
- CISA Gets Proactive With New Pre-Ransomware Alerts
- Watch on Demand: Supply Chain & Third-Party Risk Summit Sessions
- TikTok CEO Grilled by Skeptical Lawmakers on Safety, Content
