As part of its May 2022 Security Patch Day, SAP announced on Tuesday the release of eight new and four updated security notes, including three that address the recent Spring4Shell vulnerability in more products.
Tracked as CVE-2022-22965 and impacting the widely used Spring Java framework, the security hole could lead to remote code execution, and security researchers have already observed attempts to exploit it in attacks.
After releasing an initial set of patches for this bug as part of its April 2022 Security Patch Day, SAP on Tuesday announced the release of three security notes that address the bug in Customer Profitability Analytics, Commerce, and Business One Cloud.
All three security notes are rated “Hot News,” the highest severity rating in SAP’s playbook, and are accompanied by an update to the Hot News central security note for Spring4Shell that SAP initially published on April 12.
SAP’s May 2022 Security Patch Day updates also include two high-priority security notes that address a cross-site scripting (XSS) issue in the administration UI of Web Dispatcher and Netweaver (CVE-2022-27656, CVSS score of 8.3), and an information disclosure in BusinessObjects (CVE-2022-28214, CVSS score of 7.8).
According to enterprise application security firm Onapsis, an attack exploiting the XSS flaw would be highly complex, requiring for the attacker to “entice a victim to log on to the administration UI using a browser,” which reduces the severity of the bug.
SAP has released patches for all of the affected files and provided three temporary workarounds, including deleting said files, disabling the administration UI, and preventing possible victim users from logging on to the administration UI, Onapsis explains.
The second high-priority note, Onapsis says, addresses a security defect that occurs during an upgrade of SAP BusinessObjects Enterprise, when information in the Sysmon event logs becomes exposed, potentially opening the door to follow-up attacks.
SAP also released multiple security notes dealing with medium-severity vulnerabilities in NetWeaver, Employee Self Service, and Host Agent.