SAP customers are urged to patch critical vulnerabilities in multiple products


German enterprise software maker SAP has patched three critical vulnerabilities affecting Internet Communication Manager (ICM), a core component of SAP business applications. Customers are urged by both [SAP](<https://blogs.sap.com/2022/02/08/sap-partners-with-onapsis-to-identify-and-patch-cybersecurity-vulnerabilities/>) and [CISA](<https://www.cisa.gov/uscert/ncas/current-activity/2022/02/08/critical-vulnerabilities-affecting-sap-applications-employing>) to address these critical vulnerabilities as soon as possible. On February 8, SAP released 14 new security notes and security researchers from Onapsis, in coordination with SAP, released a [Threat Report](<https://onapsis.com/icmad-sap-cybersecurity-vulnerabilities>) describing SAP ICM critical vulnerabilities, [CVE-2022-22536](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22536>), [CVE-2022-22532](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22532>), and [CVE-2022-22533](<https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22533>). Onapsis also provides an [open source tool](<https://github.com/Onapsis/onapsis_icmad_scanner>) to identify if a system is vulnerable and needs to be patched. ## CVE-2022-22536 The most important vulnerability in this report is CVE-2022-22536, one of the ICMAD vulnerabilities. The ICMAD vulnerabilities are particularly critical because the issues exist by default in the SAP Internet Communication Manager (ICM). The ICM is one of the most important components of a SAP NetWeaver application server and is present in most SAP products. It is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet. CVE-2022-22536 is a request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher. This vulnerability scored a [CVSS](<https://blog.malwarebytes.com/malwarebytes-news/2020/05/how-cvss-works-characterizing-and-scoring-vulnerabilities/>) rating of 10 out of 10. The high score is easy to explain. A simple HTTP request, indistinguishable from any other valid message and without any kind of authentication, is enough for a successful exploitation of the vulnerability. ## Other vulnerabilities Some of the other “high scorers” are [Log4j](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2021/12/log4j-zero-day-log4shell-arrives-just-in-time-to-ruin-your-weekend/>) related vulnerabilities, and a security update for the browser control Google Chromium delivered with SAP Business Client. The other two ICMAD vulnerabilities identified as CVE-2022-22532 and CVE-2022-22533 received scores of 8.1 and 7.5, respectively. ## Scan tool On [GitHub](<https://github.com/Onapsis/onapsis_icmad_scanner>) Onapsis published a Python script that can be used to check if a SAP system is affected by CVE-2022-22536. A [Shodan scan](<https://www.shodan.io/search?query=server%3A+SAP+NetWeaver+Application+Server>) shows there are more than 5,000 SAP NetWeaver servers currently connected to the Internet and exposed to attacks until the patch is applied. ## Mitigation SAP and Onapsis are currently unaware of any customer breaches that relate to these vulnerabilities, but strongly advise impacted organizations to immediately apply Security Note 3123396 (which covers CVE-2022-22536) to their affected SAP applications as soon as possible. The Cybersecurity & Infrastructure Security Agency (CISA) warned that customers who fail to do so will be exposing themselves to ransomware attacks, the theft of sensitive data, financial fraud, and disruption or halt of business operations. The post [SAP customers are urged to patch critical vulnerabilities in multiple products](<https://blog.malwarebytes.com/exploits-and-vulnerabilities/2022/02/sap-customers-are-urged-to-patch-critical-vulnerabilities-in-multiple-products/>) appeared first on [Malwarebytes Labs](<https://blog.malwarebytes.com>).