Connect with us

Hi, what are you looking for?



SAP Patches Spring4Shell Vulnerability in More Products

As part of its May 2022 Security Patch Day, SAP announced on Tuesday the release of eight new and four updated security notes, including three that address the recent Spring4Shell vulnerability in more products.

As part of its May 2022 Security Patch Day, SAP announced on Tuesday the release of eight new and four updated security notes, including three that address the recent Spring4Shell vulnerability in more products.

Tracked as CVE-2022-22965 and impacting the widely used Spring Java framework, the security hole could lead to remote code execution, and security researchers have already observed attempts to exploit it in attacks.

After releasing an initial set of patches for this bug as part of its April 2022 Security Patch Day, SAP on Tuesday announced the release of three security notes that address the bug in Customer Profitability Analytics, Commerce, and Business One Cloud.

All three security notes are rated “Hot News,” the highest severity rating in SAP’s playbook, and are accompanied by an update to the Hot News central security note for Spring4Shell that SAP initially published on April 12.

SAP’s May 2022 Security Patch Day updates also include two high-priority security notes that address a cross-site scripting (XSS) issue in the administration UI of Web Dispatcher and Netweaver (CVE-2022-27656, CVSS score of 8.3), and an information disclosure in BusinessObjects (CVE-2022-28214, CVSS score of 7.8).

According to enterprise application security firm Onapsis, an attack exploiting the XSS flaw would be highly complex, requiring for the attacker to “entice a victim to log on to the administration UI using a browser,” which reduces the severity of the bug.

SAP has released patches for all of the affected files and provided three temporary workarounds, including deleting said files, disabling the administration UI, and preventing possible victim users from logging on to the administration UI, Onapsis explains.

Advertisement. Scroll to continue reading.

The second high-priority note, Onapsis says, addresses a security defect that occurs during an upgrade of SAP BusinessObjects Enterprise, when information in the Sysmon event logs becomes exposed, potentially opening the door to follow-up attacks.

SAP also released multiple security notes dealing with medium-severity vulnerabilities in NetWeaver, Employee Self Service, and Host Agent.

Related: SAP Releases Patches for Spring4Shell Vulnerability

Related: SAP Patches Critical Security Flaws in Monitoring Solutions

Related: SAP Customers Warned About Critical ‘ICMAD’ Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.