Onapsis, the leader in business-critical application cybersecurity and compliance, today announced that the Onapsis Research Labs and SAP Product Security Response Team collaborated to discover and patch critical network exploitable vulnerabilities that affect Internet Communication Manager (ICM), a core component of SAP business applications. SAP has promptly patched these vulnerabilities.
Both SAP and Onapsis advise impacted organizations to prioritize applying the Security Notes 3123396 and 3123427 to their affected SAP applications immediately. If exploited, these vulnerabilities, dubbed “ICMAD,” enable attackers to execute serious malicious activities on SAP users, business information, and processes — and ultimately compromise unpatched SAP applications.
The individual ICMAD vulnerabilities are identified as CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533 — the first of which received the highest possible risk score, a 10 out of 10, while the other two received scores of 8.1 and 7.5, respectively. The U.S. Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA) is issuing a Current Activity Alert relating to these vulnerabilities.
Also Read: Strategies to Set up Kubernetes Continuous Compliance
“These vulnerabilities can be exploited over the internet and without the need for attackers to be authenticated in the target systems, which makes them very critical,” said Mariano Nunez, CEO and Co-founder of Onapsis. “We applaud SAP for their rapid response and working with Onapsis Research Labs after being notified by our experts. From swiftly issuing patches to working with our team to test the efficacy of those patches to proactively notifying impacted customers and the broader security community — SAP is setting the bar for what vulnerability disclosure and response looks like and how working with trusted partners like Onapsis better protects its customers.”
Onapsis Research Labs’ thorough investigation of HTTP Smuggling over the last year led to its discovery of the vulnerabilities. Threat actors can send malicious payloads leveraging these HTTP Smuggling techniques and successfully exploit SAP Java or ABAP systems with an HTTP request that is indistinguishable from a valid message. These vulnerabilities can be exploited in affected systems over the internet and pre-authentication, meaning they are not mitigated by multi-factor authentication controls.
“SAP has partnered with Onapsis to maintain secure solutions for our global customer base,” said Richard Puckett, Chief Information Security Officer for SAP. “It is through collaboration with key partners like Onapsis that SAP can provide the most secure environment possible for our customers. We strongly encourage all SAP customers to protect their businesses by applying the relevant SAP security patches as soon as possible.”
For more such updates follow us on Google News ITsecuritywire News. Please subscribe to our Newsletter for more updates
