On 8 February 2022, SAP released 19 security notes to address multiple vulnerabilities. Nine of these are marked as “Hot News” (SAP designation for CVEs rated 9 or above on the National Institute of Science and Technology (NIST) Common Vulnerability Scoring System (CVSS)). We recommend applying the latest updates as soon as possible.
Of the nine vulnerabilities marked as “Hot News”, six security notes address vulnerabilities in a third-party component, Log4j. Four of these six notes are updates to previously-released information. All security notes addressing Log4j vulnerabilities are rated with a CVSS score of 10. The following products were noted as having Log4j vulnerabilities fixed:
- SAP Commerce, Versions 1905, 2005, 2105, 2011
- SAP Data Intelligence, Version 3
- SAP Dynamic Authorization Management, Version 184.108.40.206, 2021.03
- Internet of Things Edge Platform, Version 4.0
- SAP Customer Checkout, Version 2
Current security notes include three critical memory corruption vulnerabilities, collectively known as Internet Communication Manager Advanced Desync (ICMAD), and tracked as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533. These flaws affect the Internet Communication Manager (ICM), a core component of SAP business applications that is enabled and exposed to the internet by default in most SAP products that need internet connectivity. The ICM handles HTTP, HTTPS, and SMTP communications, and can act as a server or as a client.
The most severe of these flaws, CVE-2022-22536, is rated with a CVSS score of 10. It is due to desynchronization of Memory Pipes (MPI) Buffers between the ICM and the backend processes. Threat actors could take advantage of this flaw by sending a single request through the exposed HTTP(S) service, which would enable them to steal sessions and credentials in plain text and modify the behavior of the applications. Authentication is not required to leverage this flaw, which could be used towards acquiring a complete takeover of a corporate system. The flaw affects SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher with default configurations.
The US Cybersecurity and Infrastructure Security Agency (CISA) issued an alert advising on the impact of vulnerabilities in the SAP applications using SAP Internet Communication Manager (ICM).
Another Hot News security note addresses CVE-2022-22544, a missing segregation of duties in SAP Solution Manager (Diagnostics Root Cause Analysis Tools), version 720. An administrator could execute code on all connected Diagnostics Agents and browse files on their systems. A threat actor could use the flaw to control managed systems, and execute commands leading to sensitive information disclosure, loss of system integrity and denial-of-service. The flaw was assigned a CVSS score of 10.
SAP Business Client, version 6.5, received an update to a Security Note released April 2018 regarding the browser control Google Chromium delivered with the product. The flaw was assigned a CVSS score of 10.
If you are using any of the vulnerable SAP products, ensure you have the latest updates installed.
We recommend validating your SAP systems against security parameters outlined in the SAP Security Baseline.