SAP NetWeaver AS Desynchronization (ICMAD)

critical Nessus Plugin ID 157848

Synopsis

The remote SAP NetWeaver application server is affected by a desynchronization vulnerability.

Description

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation.

An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Note that Nessus has not tested for this issue but has instead relied only on the application's self-reported version number.

Solution

Apply the appropriate patch according to the vendor advisory.

See Also

http://www.nessus.org/u?f0c19cc7

https://launchpad.support.sap.com/#/notes/3123396

Plugin Details

Severity: Critical

ID: 157848

File Name: sap_netweaver_as_3123396.nasl

Version: 1.6

Type: remote

Family: Web Servers

Published: 2/9/2022

Updated: 12/5/2022

Configuration: Enable paranoid mode

Risk Information

VPR

Risk Factor: Critical

Score: 9.2

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.7

Vector: AV:N/AC:L/Au:N/C:C/I:C/A:C

Temporal Vector: E:H/RL:OF/RC:C

CVSS Score Source: CVE-2022-22536

CVSS v3

Risk Factor: Critical

Base Score: 10

Temporal Score: 9.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Temporal Vector: E:H/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:sap:netweaver_application_server

Required KB Items: installed_sw/SAP Netweaver Application Server (AS), Settings/ParanoidReport

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2/8/2022

Vulnerability Publication Date: 2/8/2022

CISA Known Exploited Dates: 9/8/2022

Reference Information

CVE: CVE-2022-22536

IAVA: 2022-A-0063

CEA-ID: CEA-2022-0006