Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

SAP Patches Spring4Shell Vulnerability in More Products

As part of its May 2022 Security Patch Day, SAP announced on Tuesday the release of eight new and four updated security notes, including three that address the recent Spring4Shell vulnerability in more products.

As part of its May 2022 Security Patch Day, SAP announced on Tuesday the release of eight new and four updated security notes, including three that address the recent Spring4Shell vulnerability in more products.

Tracked as CVE-2022-22965 and impacting the widely used Spring Java framework, the security hole could lead to remote code execution, and security researchers have already observed attempts to exploit it in attacks.

After releasing an initial set of patches for this bug as part of its April 2022 Security Patch Day, SAP on Tuesday announced the release of three security notes that address the bug in Customer Profitability Analytics, Commerce, and Business One Cloud.

All three security notes are rated “Hot News,” the highest severity rating in SAP’s playbook, and are accompanied by an update to the Hot News central security note for Spring4Shell that SAP initially published on April 12.

SAP’s May 2022 Security Patch Day updates also include two high-priority security notes that address a cross-site scripting (XSS) issue in the administration UI of Web Dispatcher and Netweaver (CVE-2022-27656, CVSS score of 8.3), and an information disclosure in BusinessObjects (CVE-2022-28214, CVSS score of 7.8).

According to enterprise application security firm Onapsis, an attack exploiting the XSS flaw would be highly complex, requiring for the attacker to “entice a victim to log on to the administration UI using a browser,” which reduces the severity of the bug.

SAP has released patches for all of the affected files and provided three temporary workarounds, including deleting said files, disabling the administration UI, and preventing possible victim users from logging on to the administration UI, Onapsis explains.

The second high-priority note, Onapsis says, addresses a security defect that occurs during an upgrade of SAP BusinessObjects Enterprise, when information in the Sysmon event logs becomes exposed, potentially opening the door to follow-up attacks.

SAP also released multiple security notes dealing with medium-severity vulnerabilities in NetWeaver, Employee Self Service, and Host Agent.

Related: SAP Releases Patches for Spring4Shell Vulnerability

Related: SAP Patches Critical Security Flaws in Monitoring Solutions

Related: SAP Customers Warned About Critical ‘ICMAD’ Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Expert Insights

Related Content

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.