Professional Documents
Culture Documents
(CVE-2022-22531) Multiple Vulnerabilities in F0743 Create Single Payment Application of SAP S/4Hana
(CVE-2022-22531) Multiple Vulnerabilities in F0743 Create Single Payment Application of SAP S/4Hana
Symptom
UPDATE 25th January 2022: This note has been re-released with updated 'Solution' information. We have
made the minor textual correction in the Solution information.
This SAP Security Note addresses below vulnerabilities identified in SAP S/4HANA. The F0743 Create
Single Payment application of SAP S/4HANA does not check uploaded or downloaded files. The vulnerability
details along with their CVE relevant information can be found below.
Cross-Site Scripting:
A Reflected Cross-Site Scripting (XSS) vulnerability in SAP S/4HANA allows an attacker with basic user
rights to run arbitrary script code, resulting in sensitive information being disclosed or modified.
• CVE-2022-22531
• CVSS: 8.7; CVSS:3.0/AV:N/AC:L/PR:L/UI:P/S:C/C:H/I:H/A:N
Code injection:
A code injection vulnerability in SAP S/4HANA allows an attacker with basic user rights to inject dangerous
content or malicious code which could result in critical information being modified or completely compromise
the availability of the application.
• CVE-2022-22530
• CVSS: 8.7; CVSS:3.0/AV:N/AC:L/PR:L/UI:P/S:C/C:N/I:H/A:H
Other Terms
XSS, reflected XSS, F0743, Create Single Payment, virus scanner interface, VSI , CSS, CVE-2022-22530,
CVE-2022-22531
Solution
This SAP Security Note implements the Virus Scanner Interface (VSI) that checks a file during upload and
download. This feature, however, relies on the antivirus software being installed, configured, and enabled on
the server.
The crucial part of the solution is proper configuration of the VSI via the definition of the default
VSCANPROFILE (because the application uses the default VSCANPROFILE). Please follow instructions
described in an SAP Note "3052386 - FAQ | Virus Scan Interface (VSI)". Configure the required components
to enable the correct function of the VSI.
As an alternative workaround, a manual scan of a file before its upload is recommended. Also, it is not
advisable to open an uploaded file directly in a web browser. Instead, the file should be downloaded to the
local file system and manually scanned before opening.
CVSS
Name Value
SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note.
This estimate does not take into account your own system configuration or operational environment. It is not
intended to replace any risk assessments you are advised to conduct when deciding on the applicability or
priority of this SAP Security Note. For more information, see the FAQ section at
https://support.sap.com/securitynotes.
Manual Activities
------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
Caution: You have to perform this manual post-implementation step manually and separately in
each system after you have imported the Note to implement.
Please, follow instructions described in an SAP Note "3052386 - FAQ | Virus Scan Interface
(VSI)" and configure the required components to enable the correct function of the VSI.
Software Components
Correction Instructions
Prerequisites
Software SAP
From To Title Component
Component Note/KBA
[CVE-2022-22531]
S4CORE 100 100 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA
[CVE-2022-22531]
S4CORE 101 101 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA
[CVE-2022-22531]
S4CORE 102 102 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA
[CVE-2022-22531]
S4CORE 103 103 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA
[CVE-2022-22531]
S4CORE 104 104 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA
[CVE-2022-22531]
S4CORE 105 105 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA
[CVE-2022-22531]
S4CORE 106 106 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA
Support Package