SAP security researcher shares insight on Patch Tuesday
January 2022 by SAP
Today SAP has published 35 new and updated security patches, including 20 considered critical (all affecting Log4j) and six new and updated High Priority Notes. It’s important to note that the 27 total SAP Security Notes that patch
Log4j issues in today’s Patch Tuesday are all new since the December update.
Today’s update impressively demonstrates the severe impact of Log4j on SAP applications. I wanted to reach out and provide you with some additional insight on these patches from Thomas Fritsch, SAP security researcher at Onapsis, including:
·
How to optimize applying patches to the numerous
Log4j notes, which made up the overwhelming majority of the SAP Security Notes released today.
·
Although separate patches have been issued for each of the vulnerabilities detected and fixed in the Log4j library, SAP customers don’t need to implement all of them. Instead, it is sufficient to only
apply the SAP patches that include the highest Log4j version.
·
SAP Security Note #3112928, tagged with a CVSS score of 8.7, patches a Cross-Site Scripting and a Code Injection vulnerability in the Create Single Payment app of S/4HANA, which is used by accounts
payable accountants through SAP Fiori.