[重要通知]SAP2月发布重大安全漏洞

[重要通知]SAP2月发布重大安全漏洞[CVE-2022-22536]修补方案

[CVE-2022-22536]漏洞涉及SAP Netweaver ABAP/JAVA平台、 SAP Content Server及SAP Web Dispatcher，请SAP用户应该尽快修补！！！

症状：

攻击者可以利用 Web Dispatcher/ICM中的这一漏洞来劫持任意 SAP 用户的请求（包括他们的会话），然后接管 SAP 应用程序。
另外，使用“HTTP 响应走私”技术，攻击者可以控制 SAP 应用程序发送的响应并持续攻击。窃取任何用户的会话和纯文本凭据（密码及数据），并修改应用程序的行为。
此漏洞影响几乎所有使用Web Dispatcher和第三方软件进行Web反向代理的SAP Netweaver ABAP 和 Java 平台的应用系统。而且大部分现有版本都存在此漏洞。
因此，建议尽快升级Web Dispatcher 和 KERNEL 来修复漏洞。

 

3123396 - [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher
3148968 - FAQ for SAP Security Note 3123396 [CVE-2022-22536] Request smuggling and request concatenation
3137885 - Workaround for security SAP note 3123396

 

3123396 - [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher

Symptom

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation.

An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack  could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Other Terms

KERNELCOR, CVE-2022-22536

Reason and Prerequisites

The vulnerability exists when HTTP clients (like browsers or other systems) access the SAP application server or SAP Web Dispatcher through an HTTP gateway, like SAP Web Dispatcher or a 3rd party load balancer or reverse proxy that terminates TLS. Direct access to SAP application servers is not vulnerable.

 

The following scenarios illustrate vulnerability of SAP components:

Direct access to SAP application servers:

1) HTTP client -------> SAP application server : SAP application server is not vulnerable

Access through SAP Web Dispatcher:

2) HTTP client -------> SAP Web Dispatcher -------> SAP application server : SAP application server is vulnerable

3) HTTP client -------> SAP Web Dispatcher 1 --------> SAP Web Dispatcher 2 -------> SAP application server : SAP Web Dispatcher 2 and SAP application server are vulnerable.

4) HTTP client -------> 3rd party HTTP gateway --------> SAP Web Dispatcher -------> SAP application server : SAP Web Dispatcher and SAP application server are vulnerable

Access through third party load balancer / reverse proxy (HTTP gateway):

5) HTTP client -------> 3rd party HTTP gateway --------> SAP application server : SAP application server is vulnerable

 

SAP strongly recommends patching all components (SAP Kernel and SAP Web Dispatcher) even in scenarios in which they are not vulnerable.

Versions of SAP Kernel and SAP Web Dispatcher that are out of maintenance and therefore not covered by this note are affected by the vulnerability.

Solution

Workaround

Please assess the workaround applicability for your SAP landscape prior to implementation.

Note that this workaround is a temporary fix and is not a permanent solution. SAP strongly recommends that you apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented.

SAP note 3137885 describes a workaround. SAP strongly recommends using it only if a patch of the affected application systems is not possible on short notice. Please patch the systems as soon as possible and remove the workaround after patching is completed.

Correction

This correction is delivered with the following archives:

• SAPWEBDISP.SAR

• Hotfix - file dw.sar

• SP Stack Kernel - files SAPEXE.SAR and SAPEXEDB.SAR  

The correction requires patching both SAP Web Dispatcher and SAP Kernel. The patch solves the security issue completely. SAP cannot provide a way to test the success of the patch.

The correction is contained in all patch levels that are equal to or higher than the patch level listed in the "Support Package Patches" section of this SAP Note for the desired release.

For patching SAP Web Dispatcher, follow SAP Note 908097. It contains details about the recommended SAP Web Dispatcher version and how to download and install the patch.

For patching SAP kernel, follow the SAP recommendations on how to patch the SAP kernel:

1. Apply the latest SP Stack Kernel if it already contains the correction. For the list of current SP Stack Kernels, see SAP Note 2083594 (SAP Kernel Versions and SAP Kernel Patch Levels).
2. Apply the hotfix only if you are experiencing a serious error that is not yet corrected by the latest SP Stack Kernel. 
3. Review the regression note for the required patch level before installing the kernel patch. For details, see SAP Note 1802333 (Finding information about regressions in the SAP kernel).
4. For instructions on how to download and install kernel patches, see SAP Note 19466 (Downloading SAP kernel patches).

The paper Update Strategy for the Kernel of the Application Server ABAP in On Premise Landscapes provides detailed information on the SAP recommendations.

 

CVSS

CVSS v3.0 Base Score: 10,0 / 10

CVSS v3.0 Base Vector:

 

	Name	Value
	Attack Vector (AV)	Network (N)
	Attack Complexity (AC)	Low (L)
	Privileges Required (PR)	None (N)
	User Interaction (UI)	None (N)
	Scope (S)	Changed (C)
	Confidentiality Impact (C)	High (H)
	Integrity Impact (I)	High (H)
	Availability Impact (A)	High (H)

 

SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note. This estimate does not take into account your own system configuration or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For more information, see the FAQ section at  https://support.sap.com/securitynotes.