Software giant SAP has released March 2022 Security Patch Day that includes 12 separate security advisories and patches, to include 1 Critical log4j vulnerability.
The SAP updates include two ‘Hot News Notes’ for the most severe of the newly patched SAP vulnerabilities:
- CVE-2022-24396: Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0) (CVSS 9.3).
- CVE-2021-44228: Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Work Manager (CVSS 10.0)
In addition, two other updates to previously released Patch Day Security Notes were also released for SAP NetWeaver, SAP Content Server and SAP Web Dispatcher (CVE-2022-22536) and Apache Log4j 2 (CVE-2021-44228).
Last December, researchers had discovered the Critical 0-day “Log4Shell” vulnerability (CVE-2021-44228) in Apache Log4j logging utility that can result in remote code execution (RCE) by logging a certain string. In addition, CISA and Microsoft also issue new guidance for Log4j vulnerability remediation.
Finally, SAP also fixed a High severity Cross-Site Scripting (XSS) vulnerability in SAP Fiori launchpad (CVE-2022-26101), as well as 10 Medium and 1 Low severity vulnerabilities.