SAP Critical Exploit ICM Manager
Date: Feburary 12th 2021
Risk: Critical
CVE: CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533
SAP released updates to address vulnerabilities affecting multiple products, including critical vulnerabilities affecting SAP applications using SAP Internet Communication Manager (ICM). SAP applications help organizations manage critical business processes—such as enterprise resource planning, product lifecycle management, customer relationship management, and supply chain management. Impacted organizations could experience:
- theft of sensitive data,
- financial fraud,
- disruption of mission-critical business processes,
- ransomware, and
- halt of all operations.
If successfully exploited, the CVE could allow attackers to target SAP users, business information, and processes, and steal credentials, trigger denials of service, execute code remotely and, ultimately, fully compromise any unpatched SAP applications.
“Malicious actors can easily leverage the most critical vulnerability (CVSSv3 10.0) in unprotected systems; the exploit is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S), the most widely used network service to access SAP applications.”
List of security notes released on February Patch Day:
https://wiki.scn.sap.com/wiki/display/PSR/SAP+Security+Patch+Day+-+February+2022
| Note# | Title | Priority | CVSS |
| 3123396 | [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher Product – SAP Web Dispatcher, Versions – 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87 Product – SAP Content Server, Version – 7.53 Product – SAP NetWeaver and ABAP Platform, Versions – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49 | Hot News | 10 |
| 3142773 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce Related CVEs – CVE-2021-45046, CVE-2021-45105, CVE-2021-44832 Product – SAP Commerce, Versions – 1905, 2005, 2105, 2011 | Hot News | 10 |
| 3130920 | Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Data Intelligence 3 (on-premise) Related CVEs – CVE-2021-44228, CVE-2021-45046, CVE-2021-45105 Product – SAP Data Intelligence, Version – 3 | Hot News | 10 |
| 3139893 | [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Dynamic Authorization Management Related CVEs – CVE-2021-44228, CVE-2021-45046 Product – SAP Dynamic Authorization Management, Version – 9.1.0.0, 2021.03 | Hot News | 10 |
| 3132922 | Update to Security Note released in December 2021: [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in Internet of Things Edge Platform Related CVEs – CVE-2021-45105, CVE-2021-45046 , CVE-2021-44832 Product – Internet of Things Edge Platform, Version – 4.0 | Hot News | 10 |
| 3133772 | Update to Security Note released in December 2021: [CVE-2021-44228] Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Customer Checkout Related CVEs – CVE-2021-45046, CVE-2021-45105 Product – SAP Customer Checkout, Version – 2 | Hot News | 10 |
| 3131047 | Update to Security Note released in December 2021: [CVE-2021-44228] Central Security Note for Remote Code Execution vulnerability associated with Apache Log4j 2 component | Hot News | 10 |
| 2622660 | Update to Security Note released on April 2018 Patch Day: Security updates for the browser control Google Chromium delivered with SAP Business Client Product – SAP Business Client, Version – 6.5 | Hot News | 10 |
| 3140940 | [CVE-2022-22544] Missing segregation of duties in SAP Solution Manager Diagnostics Root Cause Analysis Tools Product – SAP Solution Manager (Diagnostics Root Cause Analysis Tools), Version – 720 | Hot News | 9.1 |
| 3112928 | Update to Security Note released on January 2022 Patch Day: [CVE-2022-22531] Multiple vulnerabilities in F0743 Create Single Payment application of SAP S/4HANA Additional CVE – CVE-2022-22530Product – SAP S/4HANA, Versions – 100, 101, 102, 103, 104, 105, 106 | High | 8.7 |
| 3123427 | [CVE-2022-22532] HTTP Request Smuggling in SAP NetWeaver Application Server Java Additional CVE – CVE-2022-22533 Product – SAP NetWeaver Application Server Java, Versions – KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53 | High | 8.1 |
| 3140587 | [CVE-2022-22540] SQL Injection vulnerability in SAP NetWeaver AS ABAP (Workplace Server) Product – SAP NetWeaver AS ABAP (Workplace Server), Versions – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756, 787 | High | 7.1 |
| 3124994 | [CVE-2022-22534] Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Product – SAP NetWeaver (ABAP and Java application Servers), Versions – 700, 701, 702, 731, 740, 750, 751, 752, 753, 754, 755, 756 | Medium | 4.7 |
| 3126489 | [CVE-2022-22535] Missing Authorization check in SAP ERP HCM Product – SAP ERP HCM (Portugal), Versions – 600, 604, 608 | Medium | 6.5 |
| 3126748 | [CVE-2022-22546] XSS vulnerability in SAP Business Objects Web Intelligence (BI Launchpad) Product – SAP Business Objects Web Intelligence (BI Launchpad) , Version – 420 | Medium | 5.4 |
| 3134684 | [Multiple CVEs] Improper Input Validation in SAP 3D Visual Enterprise Viewer CVEs – CVE-2022-22537, CVE-2022-22539, CVE-2022-22538 Product – SAP 3D Visual Enterprise Viewer , Version – 9.0 | Medium | 4.3 |
| 3140564 | [CVE-2022-22528] Information Disclosure in SAP Adaptive Server Enterprise Product – SAP Adaptive Server Enterprise , Version – 16.0 | Medium | 5.6 |
| 3142092 | [CVE-2022-22542] Information Disclosure vulnerability in SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) Product – SAP S/4HANA (Supplier Factsheet and Enterprise Search for Business Partner, Supplier and Customer) , Versions – 104, 105, 106 | Medium | 6.5 |
| 3128473 | [CVE-2022-22545]Information Disclosure vulnerability in SAP NetWeaver Application Server ABAP and ABAP Platform Product – SAP NetWeaver Application Server ABAP and ABAP Platform, Versions – 700, 701, 702, 710, 711, 730, 731, 740, 750, 751, 752, 753, 754, 755, 756 | Medium | 4.9 |
| 3116223 | [CVE-2022-22543] Denial of service (DOS) in SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) Product – SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel) , Versions – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49 | Low | 3.7 |