As part of its May 2022 Security Patch Day, SAP announced on Tuesday the release of eight new and four updated security notes, including three that address the recent Spring4Shell vulnerability in more products.
Tracked as CVE-2022-22965 and impacting the widely used Spring Java framework, the security hole could lead to remote code execution, and security researchers have already observed attempts to exploit it in attacks.
After releasing an initial set of patches for this bug as part of its April 2022 Security Patch Day, SAP on Tuesday announced the release of three security notes that address the bug in Customer Profitability Analytics, Commerce, and Business One Cloud.
All three security notes are rated “Hot News,” the highest severity rating in SAP’s playbook, and are accompanied by an update to the Hot News central security note for Spring4Shell that SAP initially published on April 12.
SAP’s May 2022 Security Patch Day updates also include two high-priority security notes that address a cross-site scripting (XSS) issue in the administration UI of Web Dispatcher and Netweaver (CVE-2022-27656, CVSS score of 8.3), and an information disclosure in BusinessObjects (CVE-2022-28214, CVSS score of 7.8).
According to enterprise application security firm Onapsis, an attack exploiting the XSS flaw would be highly complex, requiring for the attacker to “entice a victim to log on to the administration UI using a browser,” which reduces the severity of the bug.
SAP has released patches for all of the affected files and provided three temporary workarounds, including deleting said files, disabling the administration UI, and preventing possible victim users from logging on to the administration UI, Onapsis explains.
The second high-priority note, Onapsis says, addresses a security defect that occurs during an upgrade of SAP BusinessObjects Enterprise, when information in the Sysmon event logs becomes exposed, potentially opening the door to follow-up attacks.
SAP also released multiple security notes dealing with medium-severity vulnerabilities in NetWeaver, Employee Self Service, and Host Agent.
Related: SAP Releases Patches for Spring4Shell Vulnerability
Related: SAP Patches Critical Security Flaws in Monitoring Solutions
Related: SAP Customers Warned About Critical ‘ICMAD’ Vulnerabilities
More from Ionut Arghire
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Google Temporarily Offering $180,000 for Full Chain Chrome Exploit
- Toyota Discloses New Data Breach Involving Vehicle, Customer Information
- Adobe Inviting Researchers to Private Bug Bounty Program
- Critical Vulnerabilities Found in Faronics Education Software
Latest News
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
