Security Advisory for SAP ICMAD Critical Vulnerabilities

International threat intelligence agencies, including the US Cybersecurity and Infrastructure Security Agency (CISA) and the Computer Emergency Response Team for the EU (CERT-EU), issued security advisories last week about critical vulnerabilities in SAP Internet Communication Manager (ICM). The ICM supports inbound and outbound communication with SAP systems using the HTTP(S) protocol. It is a standard component of NetWeaver Application Server ABAP and Java and SAP Web Dispatcher.

‍

‍

The advisories relate to CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533, labeled ICMAD (Internet Communication Manager Advanced Desync). The most critical is CVE-2022-22536 – a memory corruption vulnerability that can be exploited via a single HTTP request to fully compromise SAP systems, remotely and without authentication.

This affects AS ABAP and Web Dispatcher when accessed through an HTTP gateway. For AS ABAP, the gateway could be the Web Dispatcher. The vulnerability does not affect direct access to SAP application servers. CVE-2022-22532 affects only AS Java.

This vulnerability has a lower CVSS than CVE-2022-22536 due to greater complexity of the attack, but ranks high in terms of impact on confidentiality, integrity, and availability. There is evidence of active scanning for ICMAD. SAP systems exposed to the Internet are especially vulnerable. External web dispatchers are equally vulnerable. Consequently, it is essential to apply the relevant security notes to patch SAP systems against ICMAD.

‍

‍

‍

Note 3123396 AS ABAP and Web Dispatcher patches for CVE-2022-22536. SAP Kernels and Web Dispatchers must be updated to the minimum patch levels detailed in the note. The fix detailed in note 3137885 can be applied as a stopgap measure if patches cannot be deployed at short notice. For access via Web Dispatcher, see 3137885 to ensure Web Dispatcher installations meet the minimum patch level. To apply the workaround, the wdisp/additional_conn_close profile parameter must be set to TRUE. For more details, see note 3138881 .

Note 3123427 AS Java patches for CVE-2022-22532 and CVE-2022-22533. The workaround recommended in the note can be applied by setting the parameter icm/handle_http_pipeline_requests=FALSE if support for HTTP pipeline requests is not required.

Cybersecurity Extension for SAP discovers vulnerable ABAP, Java, and Web Dispatcher installations that have not been properly patched for ICMAD. It also identifies missing or incorrectly applied workarounds if the fixes in notes 3123396 and 3123427 have not been applied. The SAP-certified solution performs more than 1,800 known vulnerability checks on SAP applications and components, and supported operating systems and databases.

‍

‍