In August, SAP publishes reports on five newly discovered security vulnerabilities. In addition, the manufacturer updates two older reports on vulnerabilities.
SAP’s August patch day means comparatively little effort for administrators, since the manufacturer has only published five reports on security gaps in the business products. There were also updates from two older bug reports.
Vulnerable SAP products
The most serious vulnerability concerns SAP BusinessObjects Business Intelligence Platform (Open Document). Attackers could obtain unauthorized information (CVE-2022-32245, CVSS 8.2risk “high“). Further vulnerabilities allow information leakage in SAP Authenticator for Android (CVE-2022-35290, CVSS 5.3, medium), SAP BusinessObjects Business Intelligence Platform (MonitoringDB) (CVE-2022-31596, CVSS 5.2, medium) as in SAP BusinessObjects Business Intelligence Platform (CommentaryDB) (CVE-2022-32244, CVSS 5.2, medium).
In addition, there is SAP Enable Now Manager a missing authorization check (CVE-2022-35293, CVSS 4.2, medium). The updated error messages relate to the Google Chrome browser supplied with the SAP Business Client and possible bypassing of runtime checks from inBC-MID-RFC in SAP Netweaver.
As usual, SAP does not give any further details in the patch day report. However, SAP administrators can access the updated software downloads and detailed bug reports linked in the Patchday message with their access.
Administrators should install the provided updates during the next scheduled maintenance period to minimize the attack surface. Unlike in July, however, this should succeed quickly – there were still 20 security gaps in SAP products to be closed.
