Security News > 2022 > February > CISA warns admins to patch maximum severity SAP vulnerability

CISA warns admins to patch maximum severity SAP vulnerability
2022-02-09 16:55

The US Cybersecurity and Infrastructure Security Agency has warned admins to patch a set of severe security flaws dubbed ICMAD and impacting SAP business apps using Internet Communication Manager.

Yesterday, Onapsis Research Labs who found and reported CVE-2022-22536, one of the three ICMAD bugs and the one rated as a maximum severity issue, also cautioned SAP customers to patch them immediately.

If successfully exploited, the ICMAD bugs allow attackers to target SAP users, business information, and processes, and steal credentials, trigger denials of service, execute code remotely and, ultimately, fully compromise any unpatched SAP applications.

"The ICM is one of the most important components of an SAP NetWeaver application server: It is present in most SAP products and is a critical part of the overall SAP technology stack, connecting SAP applications with the Internet," Onapsis explained.

"Malicious actors can easily leverage the most critical vulnerability in unprotected systems; the exploit is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S), the most widely used network service to access SAP applications."

The German business software developer also patched other maximum severity vulnerabilities associated with the Apache Log4j 2 component used in SAP Commerce, SAP Data Intelligence 3, SAP Dynamic Authorization Management, Internet of Things Edge Platform, SAP Customer Checkout.


News URL

https://www.bleepingcomputer.com/news/security/cisa-warns-admins-to-patch-maximum-severity-sap-vulnerability/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-09 CVE-2022-22536 Unspecified vulnerability in SAP products
SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation.
network
low complexity
sap
critical
10.0

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
SAP 328 25 679 386 113 1203