[重要通知]SAP2月發布重大安全漏洞

[重要通知]SAP2月發布重大安全漏洞[CVE-2022-22536]修補方案

[CVE-2022-22536]漏洞涉及SAP Netweaver ABAP/JAVA平台、 SAP Content Server及SAP Web Dispatcher，請SAP用戶應該盡快修補！！！

症狀：

攻擊者可以利用 Web Dispatcher/ICM中的這一漏洞來劫持任意 SAP 用戶的請求（包括他們的會話），然后接管 SAP 應用程序。
另外，使用“HTTP 響應走私”技術，攻擊者可以控制 SAP 應用程序發送的響應並持續攻擊。竊取任何用戶的會話和純文本憑據（密碼及數據），並修改應用程序的行為。
此漏洞影響幾乎所有使用Web Dispatcher和第三方軟件進行Web反向代理的SAP Netweaver ABAP 和 Java 平台的應用系統。而且大部分現有版本都存在此漏洞。
因此，建議盡快升級Web Dispatcher 和 KERNEL 來修復漏洞。

 

3123396 - [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher
3148968 - FAQ for SAP Security Note 3123396 [CVE-2022-22536] Request smuggling and request concatenation
3137885 - Workaround for security SAP note 3123396

 

3123396 - [CVE-2022-22536] Request smuggling and request concatenation in SAP NetWeaver, SAP Content Server and SAP Web Dispatcher

Symptom

SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53 and SAP Web Dispatcher are vulnerable for request smuggling and request concatenation.

An unauthenticated attacker can prepend a victim's request with arbitrary data. This way, the attacker can execute functions impersonating the victim or poison intermediary Web caches. A successful attack  could result in complete compromise of Confidentiality, Integrity and Availability of the system.

Other Terms

KERNELCOR, CVE-2022-22536

Reason and Prerequisites

The vulnerability exists when HTTP clients (like browsers or other systems) access the SAP application server or SAP Web Dispatcher through an HTTP gateway, like SAP Web Dispatcher or a 3rd party load balancer or reverse proxy that terminates TLS. Direct access to SAP application servers is not vulnerable.

 

The following scenarios illustrate vulnerability of SAP components:

Direct access to SAP application servers:

1) HTTP client -------> SAP application server : SAP application server is not vulnerable

Access through SAP Web Dispatcher:

2) HTTP client -------> SAP Web Dispatcher -------> SAP application server : SAP application server is vulnerable

3) HTTP client -------> SAP Web Dispatcher 1 --------> SAP Web Dispatcher 2 -------> SAP application server : SAP Web Dispatcher 2 and SAP application server are vulnerable.

4) HTTP client -------> 3rd party HTTP gateway --------> SAP Web Dispatcher -------> SAP application server : SAP Web Dispatcher and SAP application server are vulnerable

Access through third party load balancer / reverse proxy (HTTP gateway):

5) HTTP client -------> 3rd party HTTP gateway --------> SAP application server : SAP application server is vulnerable

 

SAP strongly recommends patching all components (SAP Kernel and SAP Web Dispatcher) even in scenarios in which they are not vulnerable.

Versions of SAP Kernel and SAP Web Dispatcher that are out of maintenance and therefore not covered by this note are affected by the vulnerability.

Solution

Workaround

Please assess the workaround applicability for your SAP landscape prior to implementation.

Note that this workaround is a temporary fix and is not a permanent solution. SAP strongly recommends that you apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented.

SAP note 3137885 describes a workaround. SAP strongly recommends using it only if a patch of the affected application systems is not possible on short notice. Please patch the systems as soon as possible and remove the workaround after patching is completed.

Correction

This correction is delivered with the following archives:

• SAPWEBDISP.SAR

• Hotfix - file dw.sar

• SP Stack Kernel - files SAPEXE.SAR and SAPEXEDB.SAR  

The correction requires patching both SAP Web Dispatcher and SAP Kernel. The patch solves the security issue completely. SAP cannot provide a way to test the success of the patch.

The correction is contained in all patch levels that are equal to or higher than the patch level listed in the "Support Package Patches" section of this SAP Note for the desired release.

For patching SAP Web Dispatcher, follow SAP Note 908097. It contains details about the recommended SAP Web Dispatcher version and how to download and install the patch.

For patching SAP kernel, follow the SAP recommendations on how to patch the SAP kernel:

1. Apply the latest SP Stack Kernel if it already contains the correction. For the list of current SP Stack Kernels, see SAP Note 2083594 (SAP Kernel Versions and SAP Kernel Patch Levels).
2. Apply the hotfix only if you are experiencing a serious error that is not yet corrected by the latest SP Stack Kernel. 
3. Review the regression note for the required patch level before installing the kernel patch. For details, see SAP Note 1802333 (Finding information about regressions in the SAP kernel).
4. For instructions on how to download and install kernel patches, see SAP Note 19466 (Downloading SAP kernel patches).

The paper Update Strategy for the Kernel of the Application Server ABAP in On Premise Landscapes provides detailed information on the SAP recommendations.

 

CVSS

CVSS v3.0 Base Score: 10,0 / 10

CVSS v3.0 Base Vector:

 

	Name	Value
	Attack Vector (AV)	Network (N)
	Attack Complexity (AC)	Low (L)
	Privileges Required (PR)	None (N)
	User Interaction (UI)	None (N)
	Scope (S)	Changed (C)
	Confidentiality Impact (C)	High (H)
	Integrity Impact (I)	High (H)
	Availability Impact (A)	High (H)

 

SAP provides this CVSS v3.0 base score as an estimate of the risk posed by the issue reported in this note. This estimate does not take into account your own system configuration or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For more information, see the FAQ section at  https://support.sap.com/securitynotes.