SAP Patches Critical NetWeaver and ABAP Platform Vulnerabilities

  • Business software and solutions provider SAP released several new security notes on its June 2022 security patch day.

    In particular, the document outlined ten new notes and two updated ones.

    Firstly, SAP provided an update to its security note released on April 2018 Patch Day, referring to security updates for the browser control Google Chromium delivered to the company’s business clients.

    Details of this note are not publicly available, but SAP gave it the maximum possible severity score of 10 according to the Common Vulnerability Scoring System (CVSS).

    The second-most severe of the vulnerabilities mentioned in SAP’s June notes refers to the common vulnerabilities and exposure (CVE)-2022-27668.

    The flaw is an improper access control related to the SAProuter proxy in NetWeaver and ABAP Platform and has a CVSS score of 8.6.

    According to SAP, Depending on the configuration of the route permission table in a specific file, it is possible for an unauthenticated attacker to execute SAProuter administration commands in SAP NetWeaver and ABAP Platform from a remote client.

    The third vulnerability (in order of severity) mentioned in the SAP notes, with a 7.8 CVSS score, refers to potential privilege escalation in SAP PowerDesigner Proxy 16.7.

    “[This vulnerability] allows an attacker with low privileges and has local access, with the ability to work around system’s root disk access restrictions to Write/Create a program file on system disk root path,” reads one of the notes.

    The program file can then be executed with elevated privileges during application startup or reboot, potentially compromising confidentiality, integrity and availability of the system.

    The nine remaining new and updated security notes announced this week are medium or low priority.

    SAP confirmed most of the vulnerabilities mentioned in its June 2022 Security Patch Day advisory have now available fixes, and advised companies to update their systems as soon as possible.