Skip to main content

SAP Releases January 2022 Security Updates

Scheduled security updates for multiple SAP products, including products affected by Log4Shell vulnerabilities

Report a cyber attack: call 0300 303 5222 or email carecert@nhsdigital.nhs.uk

Summary

Scheduled security updates for multiple SAP products, including products affected by Log4Shell vulnerabilities


Affected platforms

The following platforms are known to be affected:

The following platforms are also known to be affected:

These SAP products:

  • Internet of Things Edge Platform
  • Reference Template for enabling ingestion and persistence of time series data in Azure
  • SAP 3D Visual Enterprise Viewer
  • SAP BTP API Management (Tenant Cloning Tool)
  • SAP BTP Cloud Foundry
  • SAP BTP Kyma
  • SAP Cloud for Customer (add-in for Lotus notes client)
  • SAP Cloud-to-Cloud Interoperability
  • SAP Connected Health Platform 2.0 - Fhirserver
  • SAP Customer Checkout
  • SAP Digital Manufacturing Cloud for Edge Computing
  • SAP Edge Services Cloud Edition
  • SAP Edge Services On Premise Edition
  • SAP Enable Now Manager
  • SAP Enterprise Continuous Testing by Tricentis
  • SAP Enterprise Threat Detection
  • SAP GRC Access Control
  • SAP HANA XS Advanced
  • SAP HANA XS Advanced Cockpit
  • SAP Landscape Management
  • SAP Localization Hub, digital compliance service for India
  • SAP NetWeaver ABAP Server and ABAP Platform (Adobe LiveCycle Designer 11.0)
  • SAP NetWeaver AS ABAP
  • SAP NetWeaver AS for ABAP and ABAP Platform
  • SAP NetWeaver Process Integration (Java Web Service Adapter)
  • SAP S/4HANA

Threat details

Introduction

SAP has released security updates to address vulnerabilities affecting multiple SAP products, including products impacted by Log4Shell vulnerabilities. Apart from aforementioned Log4Shell vulnerabilities, eleven other vulnerabilities address code injection, information disclosure, cross site scripting, improper input validation, missing authorisation check, and others. An attacker could exploit these vulnerabilities to take control of an affected system.


NHS Digital response to Log4Shell

This alert is part of NHS Digital's wider response to the Log4Shell remote code execution vulnerability. For more information on Log4Shell itself, please visit our cyber alerts article Log4Shell RCE Vulnerability CC-3989.
 

Additional SAP systems may be vulnerable and affected organisations should regularly review SAP's Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component. Note: SAP credentials are required to view the Security Note.

NHS and social care organisations are invited to use the Cyber Associates Network to find out additional information and participate in discussion about the Log4Shell remote code execution vulnerability and affected SAP products.


Remediation advice

Affected organisations are encouraged to review the SAP Security Notes for January 2022 and apply the necessary updates.



CVE Vulnerabilities

Last edited: 12 January 2022 3:08 pm