CERT-In Vulnerability Note
CIVN-2022-0022
Multiple Vulnerabilities in SAP Products
Original Issue Date:January 14, 2022
Severity Rating: HIGH
Software Affected
- SAP Customer Checkout
- SAP BTP Cloud Foundry
- SAP Landscape Management
- SAP Connected Health Platform 2.0 - Fhirserver
- SAP HANA XS Advanced Cockpit
- SAP NetWeaver Process Integration (Java Web Service Adapter)
- SAP HANA XS Advanced
- Internet of Things Edge Platform
- SAP BTP Kyma
- SAP Enable Now Manager
- SAP Cloud for Customer (add-in for Lotus notes client)
- SAP Localization Hub, digital compliance service for India
- SAP Edge Services On Premise Edition
- SAP Edge Services Cloud Edition
- SAP BTP API Management (Tenant Cloning Tool)
- SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0)
- SAP Digital Manufacturing Cloud for Edge Computing
- SAP Enterprise Continuous Testing by Tricentis
- SAP Cloud-to-Cloud Interoperability
- SAP Business One
- SAP S/4HANA, Versions - 100, 101, 102, 103, 104, 105, 106
- SAP NetWeaver AS ABAP, Versions - 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756
- SAP Business One, Version - 10
- SAP Enterprise Threat Detection, Version - 2.0
- SAP NetWeaver AS for ABAP and ABAP Platform, Versions - 701, 702, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756, 786
- SAP 3D Visual Enterprise Viewer, Version - 9
- SAP GRC Access Control, Versions - V1100_700, V1100_731, V1200_750
Overview
Multiple vulnerabilities have been reported in SAP Products which could allow a remote attacker to bypass security restrictions, perform a denial of service (DoS) attack, inject code, perform cross-site scripting(XSS) attacks, escalate privileges and direct access to SAP System, application crash, allow execution of arbitrary commands viz. exploit remote code execution vulnerability associated with Apache Log4j 2 component and completely compromise confidentiality, integrity, and availability of the targeted system.
Description
These vulnerabilities exist in SAP Products due to insufficient validation of user-supplied input, insufficient authorization checks for an authenticated user, vulnerability associated with Apache Log4j 2 component and other flaws in affected respective software.
Successful exploitation of these vulnerabilities could allow the remote attacker to allow a remote attacker to bypass security restrictions, perform a denial of service (DoS) attack, perform cross-site scripting(XSS) attacks, escalate privileges and direct access to SAP System, application crash, allow execution of arbitrary commands viz. exploit remote code execution vulnerability associated with Apache Log4j 2 component and completely compromise confidentiality, integrity, and availability of the targeted system.
Solution
Apply appropriate fixes as mentioned in SAP Security Advisory:
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035
Vendor Information
SAP
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035
References
SAP
https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=596902035
CVE Name
CVE-2022-22529
CVE-2022-22530
CVE-2022-22531
CVE-2022-42067
CVE-2021-44228
CVE-2021-44233
CVE-2022-44234
CVE-2021-44235
CVE-2021-42066
CVE-2021-42068
CVE-2021-42069
CVE-2021-42070
Disclaimer
The information provided herein is on "as is" basis, without warranty of any kind.
Contact Information
Email: info@cert-in.org.in Phone: +91-11-24368572
Postal address
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India
|