The Walldorf-based company SAP reported 20 new security vulnerabilities for the July patch day and updated reports on three old vulnerabilities. Of the new gaps, four are considered high threat, 15 medium, and one low,
Similar to Google, SAP does not publish any details about the security gaps, but only provides a rough overview. SAP considers a vulnerability in the SAP BusinessObjects Business Intelligence Platform. This could leak sensitive information (CVE-2022-35228, CVSS 8.3risk “high“).
A similar gap can also be found in SAP Business One (CVE-2022-32249, CVSS 7.6, high). In addition, Business One is missing an authentication check (CVE-2022-28771, CVSS 7.5, high) and the software can be code injected (CVE-2022-31593, CVSS 7.4, high).
Furthermore, SAP reports medium-severity vulnerabilities, sorted according to decreasing risk SAP BusinessObjects Business Intelligence Platform 4.x, SAP NetWeaver Enterprise Portal, SAP Enterprise Portal, SAP NetWeaver Enterprise Portal (WPC), SAP BusinessObjects Business Intelligence Platform (LCM), SAP BusinessObjects (BW Publisher Service), SAP BusinessObjects Business Intelligence Platform (Visual Difference Application), SAP BusinessObjects, SAPS/4HANA Business partner extension for Spain/Slovakia, Manage Checkbooks component of SAPS/4HANA and in SAP Enterprise Extension Defense Forces & Public Security.
Finally, there is still a low-risk gap in SAP 3D Visual Enterprise Viewer. In the security notification for the SAP patch day, the manufacturer links the CVE entries and detailed information in the insider area of the website called Launchpad. Only administrators as SAP customers have access to it. There you will also find information about the updates themselves.
IT managers should quickly plan a maintenance window for the updates so that cybercriminals cannot misuse the security gaps to infiltrate the network.