Critical SAP Vulnerability Patched Months Ago Now On US Exploited Bug List

Share post:

A critical SAP vulnerability that was patched in February has been added to a U.S. government cyber agency’s list of exploited security bugs after being discussed last week at security conferences, leading to the possibility the hole is currently being exploited.

Security Week reports that the vulnerability, CVE-2022-22536, was added this week by the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to its Known Exploited Vulnerabilities Catalog.

The catalog is a list of security holes that have been exploited in the wild that must be remediated by U.S. federal departments. The private sector is also urged to review and monitor the catalog and prioritize remediation of the listed vulnerabilities to reduce the likelihood of compromise by known threat actors.

The listing now of CVE-2022-22536, coming right after researchers from Onapsis talked about it and another critical SAP vulnerability, CVE-2022-22532, at the Black Hat and DefCon conference last week, raises the possibility that the CISA has learned hackers are trying to exploit the pair of holes after learning of them at the conference.

Onapsis says the two vulnerabilities can be exploited together. “Both CVE-2022-22536 and CVE-2022-22532 were remotely exploitable and could be used by unauthenticated attackers to completely compromise any SAP installation on the planet,” unless systems are patched, the report says.

CVE-2022-22536 is a memory corruption vulnerability in NetWeaver Application Server ABAP, NetWeaver Application Server Java, ABAP Platform, Content Server 7.53 and Web Dispatcher.

According to the U.S. National Institute of Standards and Technology (NIST), the hole makes them vulnerable to request smuggling and request concatenation. An unauthenticated attacker can prepend a victim’s request with arbitrary data, says a synopsis. “This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system,” NIST says.

The other vulnerability, CVE-2022-22532, is also a memory corruption issue that affects certain versions of NetWeaver Application Server Java. NIST says it can be exploited by an unauthenticated attacker who submits a crafted HTTP server request which triggers improper shared memory buffer handling. This could allow the malicious payload to be executed and perform functions that could impersonate the victim or even steal the victim’s logon session.

The two vulnerabilities have been broadly known since February and therefore should have been addressed by now by SAP administrators. Arctic Wolf was among the security vendors issuing warnings in February about them.

Its report described CVE-2022-22536 as a critical memory corruption vulnerability in the SAP Internet Communication Manager (ICM) component of a number of products that could lead to full system takeover without authentication or user interaction.

The post Critical SAP vulnerability patched months ago now on US exploited bug list first appeared on IT World Canada.

Howard Solomon
Howard Solomonhttps://www.itworldcanada.com
Currently a freelance writer, I'm the former editor of ITWorldCanada.com and Computing Canada. An IT journalist since 1997, I've written for ITBusiness.ca and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times.

SUBSCRIBE NOW

Related articles

Payment gateway breach exposes 1.7 million credit card holders

Slim CD, a payment gateway provider, recently disclosed a significant data breach that impacted nearly 1.7 million credit...

AI Healthcare Firm Exposes 5.9 TB of Sensitive Mental Health Data

In a significant data security incident, Confidant Health, a Texas-based AI healthcare platform, inadvertently exposed 5.3 terabytes of...

Cyber Security Today – Week In Review for September 7, 2024

Cyber Security Today - Weekend Edition: Toronto School Board Hack, MoveIT Breach & Data Privacy Concerns This weekend edition...

You’re not crazy – your smart phone could be listening to you

If you have every heard someone say that they'd just had a conversation on their smart phone only...

Become a member

New, Relevant Tech Stories. Our article selection is done by industry professionals. Our writers summarize them to give you the key takeaways