SAP issues patches for critical bugs

US DHS warns exploits could halt all operations.

SAP has published patches for a number of critical vulnerabilities in Internet Connection Manager (ICM) and other products.

America’s Department of Homeland Security’s CISA summarised the importance of the patches here.

The CISA warned that impacts of the vulnerabilities could range from data theft to a “halt of all operations”.

There was also a separate advisory published by security research firm Onapsis.

SAP’s February Patch Day announcement details eight vulnerabilities with CVSS scores of 10, making them the most critical to patch. 

While technical details of the vulnerabilities are yet to be published, the products affected by the most critical vulnerabilities are SAP Web Dispatcher, Content Server, NetWeaver and ABAP Platform, Commerce, Data Intelligence, Dynamic Authorisation Management, Internet of Things Edge Platform, Customer Checkout, and Business Client.

Onapsis, which worked with SAP on three of the vulnerabilities (CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533), noted that the ICM is “one of the most important components of an SAP NetWeaver application server,” which is “present in most SAP products”.

These vulnerabilities, Onapsis said, “enable attackers to execute serious malicious activities on SAP users, business information, and processes”.

Onapsis has published a free assessment tool for customers to see if their systems are affected by the CVE-2022-22536 vulnerability.

