SAP on Tuesday announced the release of ten new and two updated security notes as part of its June 2022 Security Patch Day.
Rated “Hot News” – the highest severity rating in SAP’s book – the most important of these notes is an update to an April 2018 note containing the updates delivered for the Chrome-based browser in SAP Business Client.
Considered “high priority,” the most severe of the newly released notes deals with CVE-2022-27668 (CVSS score of 8.6), an improper access control related to the SAProuter proxy in NetWeaver and ABAP Platform.
“A permissive configuration of the route permission table may allow an unauthenticated attacker to bypass the protection to execute administration commands on the systems connected to the SAPRouter, compromising the availability of the systems,” business application security firm Onapsis explains.
While a workaround exists for this issue – involving route permission table hardening and removing the wildcards from type ‘P’ and ‘S’ entries – customers are advised to apply the available patch as soon as possible.
Onapsis also points out that SAP has also addressed an improper access control in NetWeaver AS Java, another high-severity flaw (CVSS score of 8.2) that can lead to system compromise. The security note for this bug was released after the second Tuesday of last month, along with four other notes.
On June 2022 Security Patch Day, SAP also released a note to address CVE-2022-31590 (CVSS score of 7.8), a privilege escalation issue in PowerDesigner Proxy 16.7.
All of the remaining new and updated security notes announced this week are “medium priority” or “low priority.”
Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added to its Known Exploited Vulnerabilities catalog three security holes in SAP NetWeaver, namely CVE-2021-38163, CVE-2016-2386, and CVE-2016-2388.
Exploitation of these vulnerabilities was observed by Onapsis, but the company has not shared any information about the attacks.