Software giant SAP has released February 2022 Security Patch Day that includes 19 separate security advisories and patches, to include fixes for critical log4j and ICMAD vulnerabilities.
The SAP updates include four new ‘Hot News Notes’ for Critical severity vulnerabilities that all have a CVSS score of 10.0:
- CVE-2022-22536: Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher
- CVE-2021-44228: Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Commerce
- Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Data Intelligence 3 (on-premise) – related to CVE-2021-44228, CVE-2021-45046, CVE-2021-45105
- CVE-2021-44228: Remote Code Execution vulnerability associated with Apache Log4j 2 component used in SAP Dynamic Authorization Management.
Last December, researchers had discovered the infamous Log4Shell Critical vulnerability (CVE-2021-44228) in Apache Log4j logging utility that can result in remote code execution (RCE). In addition, CISA, Microsoft and many others issued guidance for log4j vulnerability remediation.
SAP has now issued remediation updates for log4j in multiple SAP products to include SAP Commerce, SAP Data Intelligence 3 (on-premise), and SAP Dynamic Authorization Management.
Moreover, SAP also published updates to three other Security Notes for Critical log4j vulnerability CVE-2021-44228 previously released in December 2021.
Onapsis also released a threat alert on three of the ICMAD vulnerabilities CVE-2022-22536, CVE-2022-22532, and CVE-2022-22533.
“If exploited, these vulnerabilities, dubbed ICMAD (Internet Communication Manager Advanced Desync), enable attackers to execute serious malicious activities on SAP users, business information, and processes — and ultimately compromise unpatched SAP applications,” Onapsis warned in a threat report.
Given Internet Communication Manager (ICM) is a core component of SAP business applications, these issues should be addressed by SAP customers as soon as possible.
- Researchers discover Critical RCE 0-day “Log4Shell” vulnerability (CVE-2021-44228) in Apache Log4j logging utility (update)
- SAP January 2022 Security Patch Day addresses Critical and High risk vulnerabilities
- Threat hunters discover Aquatic Panda Log4Shell exploit attempts
- Apache releases new Log4k security update to fix another RCE vulnerability (CVE-2021-45046)