Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches High-Severity NetWeaver Vulnerabilities

SAP on Tuesday announced the release of ten new and two updated security notes as part of its June 2022 Security Patch Day.

Rated “Hot News” – the highest severity rating in SAP’s book – the most important of these notes is an update to an April 2018 note containing the updates delivered for the Chrome-based browser in SAP Business Client.

SAP on Tuesday announced the release of ten new and two updated security notes as part of its June 2022 Security Patch Day.

Rated “Hot News” – the highest severity rating in SAP’s book – the most important of these notes is an update to an April 2018 note containing the updates delivered for the Chrome-based browser in SAP Business Client.

Considered “high priority,” the most severe of the newly released notes deals with CVE-2022-27668 (CVSS score of 8.6), an improper access control related to the SAProuter proxy in NetWeaver and ABAP Platform.

“A permissive configuration of the route permission table may allow an unauthenticated attacker to bypass the protection to execute administration commands on the systems connected to the SAPRouter, compromising the availability of the systems,” business application security firm Onapsis explains.

While a workaround exists for this issue – involving route permission table hardening and removing the wildcards from type ‘P’ and ‘S’ entries – customers are advised to apply the available patch as soon as possible.

Onapsis also points out that SAP has also addressed an improper access control in NetWeaver AS Java, another high-severity flaw (CVSS score of 8.2) that can lead to system compromise. The security note for this bug was released after the second Tuesday of last month, along with four other notes.

On June 2022 Security Patch Day, SAP also released a note to address CVE-2022-31590 (CVSS score of 7.8), a privilege escalation issue in PowerDesigner Proxy 16.7.

All of the remaining new and updated security notes announced this week are “medium priority” or “low priority.”

Advertisement. Scroll to continue reading.

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) added to its Known Exploited Vulnerabilities catalog three security holes in SAP NetWeaver, namely CVE-2021-38163, CVE-2016-2386, and CVE-2016-2388.

Exploitation of these vulnerabilities was observed by Onapsis, but the company has not shared any information about the attacks.

Related: SAP Patches Spring4Shell Vulnerability in More Products

Related: SAP Releases Patches for Spring4Shell Vulnerability

Related: SAP Patches Critical Security Flaws in Monitoring Solutions

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

The AI Risk Summit brings together security and risk management executives, AI researchers, policy makers, software developers and influential business and government stakeholders.

Register

People on the Move

Data security startup Reco adds Merritt Baer as CISO

Chris Pashley has been named CISO at Advanced Research Projects Agency for Health (ARPA-H).

Satellite cybersecurity company SpiderOak has named Kip Gering as its new Chief Revenue Officer.

More People On The Move

Expert Insights