SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3273480
was released on
13.12.2022 and deals with
"[CVE-2022-41272] Improper access control in SAP NetWeaver AS Java (User Defined Search)" within Java.
We advice you to follow the instructions, to resolve
missing authorization check
hot news potential for exploitation
in component BC-XI-CON-UDS.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as part of maintenance.
Risk specificationAn unauthenticated attacker over the network can attach to an open interface exposed through JNDI by the User Defined Search (UDS) of SAP NetWeaver AS Java and make use of an open naming and directory api to access services which can be used to perform unauthorized operations affecting users and data across the entire system.
The affected code has been updated with authorization checks in all affected public methods.
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for