2022-02-09 3112928

3112928 - [CVE-2022-22531] Multiple vulnerabilities in

F0743 Create Single Payment application of SAP
S/4HANA
Version 9 Type SAP Security Note
Language English Master Language English
Priority Correction with high priority Category Program error
Release Status Released for Customer Released On 25.01.2022
Component FI-FIO-AP ( Fiori UI for Accounts Payable )

Please find the original document at https://launchpad.support.sap.com/#/notes/ 3112928

Symptom

UPDATE 25th January 2022: This note has been re-released with updated 'Solution' information. We have
made the minor textual correction in the Solution information.

This SAP Security Note addresses below vulnerabilities identified in SAP S/4HANA. The F0743 Create
Single Payment application of SAP S/4HANA does not check uploaded or downloaded files. The vulnerability
details along with their CVE relevant information can be found below.

Cross-Site Scripting:

A Reflected Cross-Site Scripting (XSS) vulnerability in SAP S/4HANA allows an attacker with basic user
rights to run arbitrary script code, resulting in sensitive information being disclosed or modified.

• CVE-2022-22531
• CVSS: 8.7; CVSS:3.0/AV:N/AC:L/PR:L/UI:P/S:C/C:H/I:H/A:N

Code injection:

A code injection vulnerability in SAP S/4HANA allows an attacker with basic user rights to inject dangerous
content or malicious code which could result in critical information being modified or completely compromise
the availability of the application.

• CVE-2022-22530
• CVSS: 8.7; CVSS:3.0/AV:N/AC:L/PR:L/UI:P/S:C/C:N/I:H/A:H

Other Terms

XSS, reflected XSS, F0743, Create Single Payment, virus scanner interface, VSI , CSS, CVE-2022-22530,
CVE-2022-22531

Reason and Prerequisites

Using attachments in the application F0743 Create Single Payment.

Solution

This SAP Security Note implements the Virus Scanner Interface (VSI) that checks a file during upload and
download. This feature, however, relies on the antivirus software being installed, configured, and enabled on

© 2022 SAP SE or an SAP affiliate company. All rights reserved 1 of 5

2022-02-09 3112928

the server.

The crucial part of the solution is proper configuration of the VSI via the definition of the default
VSCANPROFILE (because the application uses the default VSCANPROFILE). Please follow instructions
described in an SAP Note "3052386 - FAQ | Virus Scan Interface (VSI)". Configure the required components
to enable the correct function of the VSI.

As an alternative workaround, a manual scan of a file before its upload is recommended. Also, it is not
advisable to open an uploaded file directly in a web browser. Instead, the file should be downloaded to the
local file system and manually scanned before opening.

CVSS

CVSS v3.0 Base Score:8.7 /10

CVSS v3.0 Base Vector:

Name Value

Attack Vector (AV) Network (N)

Attack Complexity (AC) Low (L)

Privileges Required (PR) Low (L)

User Interaction (UI) Required (R)

Scope (S) Changed (C)

Confidentiality Impact (C) High (H)

Integrity Impact (I) High (H)

Availability Impact (A) None (N)

SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note.
This estimate does not take into account your own system configuration or operational environment. It is not
intended to replace any risk assessments you are advised to conduct when deciding on the applicability or
priority of this SAP Security Note. For more information, see the FAQ section at
https://support.sap.com/securitynotes.

Manual Activities

------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |

© 2022 SAP SE or an SAP affiliate company. All rights reserved 2 of 5

2022-02-09 3112928
|Software Component S4CORE |
| Release 100 All Support Package Levels |
| Release 101 All Support Package Levels |
| Release 102 Until SAPK-10209INS4CORE |
| Release 103 Until SAPK-10307INS4CORE |
| Release 104 Until SAPK-10405INS4CORE |
| Release 105 Until SAPK-10503INS4CORE |
| Release 106 w/o Support Packages |
------------------------------------------------------------------------

Caution: You have to perform this manual post-implementation step manually and separately in
each system after you have imported the Note to implement.

Please, follow instructions described in an SAP Note "3052386 - FAQ | Virus Scan Interface
(VSI)" and configure the required components to enable the correct function of the VSI.

Software Components

Software Component Release

S4CORE 100 - 100

S4CORE 101 - 101

S4CORE 102 - 102

S4CORE 103 - 103

S4CORE 104 - 104

S4CORE 105 - 105

S4CORE 106 - 106

Correction Instructions

Software Component From To Version Changed on ID

S4CORE 101 101 1 16.11.2021 18:48:29 0001035390

S4CORE 100 100 1 16.11.2021 18:48:31 0001035389

S4CORE 106 106 1 16.11.2021 18:48:24 0001035455

S4CORE 105 105 1 16.11.2021 18:48:25 0001035454

S4CORE 104 104 1 16.11.2021 18:48:26 0001035453

S4CORE 103 103 1 16.11.2021 18:48:27 0001035452

S4CORE 102 102 1 16.11.2021 18:48:28 0001035391

© 2022 SAP SE or an SAP affiliate company. All rights reserved 3 of 5

2022-02-09 3112928

Prerequisites

Software SAP
From To Title Component
Component Note/KBA

[CVE-2022-22531]
S4CORE 100 100 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA

[CVE-2022-22531]
S4CORE 101 101 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA

[CVE-2022-22531]
S4CORE 102 102 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA

[CVE-2022-22531]
S4CORE 103 103 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA

[CVE-2022-22531]
S4CORE 104 104 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA

[CVE-2022-22531]
S4CORE 105 105 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA

[CVE-2022-22531]
S4CORE 106 106 3112928 Multiple vulnerabilities in F0743 Create Single FI-FIO-AP
Payment application of SAP S/4HANA

Support Package

Software Component Release Support Package

S4CORE 102 SAPK-10210INS4CORE

S4CORE 103 SAPK-10308INS4CORE

S4CORE 104 SAPK-10406INS4CORE

S4CORE 105 SAPK-10504INS4CORE

S4CORE 106 SAPK-10601INS4CORE

© 2022 SAP SE or an SAP affiliate company. All rights reserved 4 of 5

2022-02-09 3112928

This document refers to

SAP Note/KBA Title

3052386 FAQ | Virus Scan Interface (VSI)

Terms of use | Copyright | Trademark | Legal Disclosure | Privacy

© 2022 SAP SE or an SAP affiliate company. All rights reserved 5 of 5