The U.S. CISA added critical SAP security flaw to its Known Exploited Vulnerabilities Catalog, based on evidence of active exploitation.
Tracked as CVE-2022-22536, with CVSS risk score of 10.0, addressed by SAP as part of its Patch Tuesday updates for February 2022.
Described as an HTTP request smuggling vulnerability, the shortcoming impacts the following product versions
- SAP Web Dispatcher (Versions – 7.49, 7.53, 7.77, 7.81, 7.85, 7.22EXT, 7.86, 7.87)
- SAP Content Server (Version – 7.53)
- SAP NetWeaver and ABAP Platform (Versions – KERNEL 7.22, 8.04, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, KRNL64UC 8.04, 7.22, 7.22EXT, 7.49, 7.53, KRNL64NUC 7.22, 7.22EXT, 7.49)
An unauthenticated attacker can prepend a victim’s request with arbitrary data, allowing for function execution impersonating the victim or poisoning intermediary web caches.
- Apple CVE-2022-32893, and CVE-2022-32894
- Google CVE-2022-2856
- Microsoft CVE-2022-21971 and CVE-2022-26923
- Palo Alto Networks PAN-OS CVE-2017-15944 that was disclosed in 2017.
The CISA notification, is light on technical details of in-the-wild attacks associated with the vulnerabilities to avoid threat actors taking further advantage of them.
To mitigate exposure to potential threats, Federal Civilian Executive Branch agencies are mandated to apply the relevant patches by September 8, 2022