As part of its May 2022 Security Patch Day, SAP announced on Tuesday the release of eight new and four updated security notes, including three that address the recent Spring4Shell vulnerability in more products.
Tracked as CVE-2022-22965 and impacting the widely used Spring Java framework, the security hole could lead to remote code execution, and security researchers have already observed attempts to exploit it in attacks.
After releasing an initial set of patches for this bug as part of its April 2022 Security Patch Day, SAP on Tuesday announced the release of three security notes that address the bug in Customer Profitability Analytics, Commerce, and Business One Cloud.
All three security notes are rated “Hot News,” the highest severity rating in SAP’s playbook, and are accompanied by an update to the Hot News central security note for Spring4Shell that SAP initially published on April 12.
SAP’s May 2022 Security Patch Day updates also include two high-priority security notes that address a cross-site scripting (XSS) issue in the administration UI of Web Dispatcher and Netweaver (CVE-2022-27656, CVSS score of 8.3), and an information disclosure in BusinessObjects (CVE-2022-28214, CVSS score of 7.8).
According to enterprise application security firm Onapsis, an attack exploiting the XSS flaw would be highly complex, requiring for the attacker to “entice a victim to log on to the administration UI using a browser,” which reduces the severity of the bug.
SAP has released patches for all of the affected files and provided three temporary workarounds, including deleting said files, disabling the administration UI, and preventing possible victim users from logging on to the administration UI, Onapsis explains.
The second high-priority note, Onapsis says, addresses a security defect that occurs during an upgrade of SAP BusinessObjects Enterprise, when information in the Sysmon event logs becomes exposed, potentially opening the door to follow-up attacks.
SAP also released multiple security notes dealing with medium-severity vulnerabilities in NetWeaver, Employee Self Service, and Host Agent.
Related: SAP Releases Patches for Spring4Shell Vulnerability
Related: SAP Patches Critical Security Flaws in Monitoring Solutions
Related: SAP Customers Warned About Critical ‘ICMAD’ Vulnerabilities
More from Ionut Arghire
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Malicious NPM, PyPI Packages Stealing User Information
- Boxx Insurance Raises $14.4 Million in Series B Funding
- Prilex PoS Malware Blocks NFC Transactions to Steal Credit Card Data
- 30k Internet-Exposed QNAP NAS Devices Affected by Recent Vulnerability
Latest News
- Google Shells Out $600,000 for OSS-Fuzz Project Integrations
- F5 BIG-IP Vulnerability Can Lead to DoS, Code Execution
- Flaw in Cisco Industrial Appliances Allows Malicious Code to Persist Across Reboots
- UK Car Retailer Arnold Clark Hit by Ransomware
- Dealing With the Carcinization of Security
- HeadCrab Botnet Ensnares 1,200 Redis Servers for Cryptomining
- Cyber Insights 2023 | Supply Chain Security
- Cyber Insights 2023 | Regulations
