SAP has addressed the Spring4Shell
vulnerability, tracked as CVE-2022-22965, impacting its Customer Profitability Analytics, Business One Cloud, and Commerce offerings, as part of this month's Security Patch Day, reports SecurityWeek
Threat actors could abuse the Spring4Shell flaw to facilitate remote code execution, with attempted exploitation already reported in the wild. Also fixed by SAP are two high-priority vulnerabilities, including a cross-site scripting flaw in Netweaver and Web Dispatcher's administration user interface, tracked as CVE-2022-27656, as well as an information disclosure bug in BusinessObjects, tracked as CVE-2022-28214.
The XSS flaw could be exploited by attackers able to "entice a victim to log on to the administration UI using a browser," according to Onapsis.
Meanwhile, attackers could leverage the info disclosure vulnerability in SAP BusinessObjects Enterprise to facilitate follow-up attacks, Onapsis added.
Medium-severity flaws in Employee Self Service, Host Agent, and NetWeaver were also addressed by SAP.