Three critical shortcomings were fixed recently in SAP business applications that use the ubiquitous Internet Communications Manager (ICM): a component that provides SAP products with the HTTPS web server they need to connect to or communicate with.
Risks, identified by Onapsis Research Labs, are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, targeted at Security Note 3123396, scored tip-top risk points – 10 out of 10. The other two CVEs scored 8.1 and 7.5 points, respectively.
These problems are so serious that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released safety advice on them this week. Also, in a blog post, SAP director of security response Vic Chung confirmed the strength of Onapsis’ findings.