External risk intelligence

SAP Web Dispatcher and NetWeaver Request Smuggling Vulnerability

CVE advisoryKnown Exploit

CVE-2022-22536

Certain SAP products are affected by a vulnerability allowing attackers to prepend arbitrary data to requests. This could lead to impersonation or cache poisoning, potentially resulting in a complete compromise of system confidentiality, integrity, and availability. The business risk is high due to the potential for ex

5Halo Surface Signal

Sap Content Server

7.537.227.497.777.817.857.867.878.04krnl64nuc_7.22krnl64nuc_7.22extkrnl64nuc_7.49krnl64uc_7.22krnl64uc_7.22extkrnl64uc_7.49krnl64uc_7.53krnl64uc_8.047.22ext

External exposure likelihood

Halo Surface Signal score for CVE-2022-22536

The affected products include SAP Web Dispatcher, which is designed as an internet-facing gateway/reverse proxy, and SAP NetWeaver application servers, which are commonly deployed as public-facing web/API endpoints. These components sit at the network edge to handle incoming traffic, making them public-facing by design in typical enterprise deployments.

Horizon Alert

Summary of the vulnerability and why it matters

Certain SAP products, including NetWeaver Application Server and Web Dispatcher, are susceptible to a flaw that allows attackers to manipulate incoming requests. This manipulation can lead to the execution of unauthorized functions or the corruption of cached data. A successful exploitation could result in a complete loss of system confidentiality, integrity, and availability.

Vulnerable SAP NetWeaver and Web Dispatcher
Flaw allows request manipulation
Impact includes system compromise

Attack Path

How an attacker could exploit the issue

This vulnerability allows an attacker to manipulate how a server processes requests. By carefully crafting a request, an attacker can cause the server to process a subsequent request from another user. This can lead to the attacker executing functions in the context of the victim user or corrupting cached content. Ultimately, this can result in a loss of confidentiality, integrity, and availability for the affected system.

Internet-facing SAP systems exposed.
Attacker sends a crafted request.
Server executes functions as victim.

Live Threat

Current exploitation, exposure, and threat context

The identified vulnerability in SAP products presents a significant threat. Attackers can exploit this to execute functions as a legitimate user, potentially leading to a complete compromise of the affected system's confidentiality, integrity, and availability. This could disrupt business operations and expose sensitive information. Given the potential for widespread impact, organizations should prioritize addressing this vulnerability.

Attackers with moderate skill.
No prior access required.
High business risk and urgency.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

This vulnerability affects multiple SAP products, enabling unauthenticated attackers to prepend arbitrary data to requests. Successful exploitation can lead to unauthorized function execution, impersonation of legitimate users, and the poisoning of web caches, potentially resulting in a complete compromise of system confidentiality, integrity, and availability. The nature of the vulnerability suggests a high business risk due to the potential for extensive system compromise and data breaches.

Find affected SAP assets.
Reduce exposure or isolate risk.
Apply vendor fix, verify, and monitor.

Frequently asked questions

What is SAP NetWeaver Application Server ABAP and Java?

SAP NetWeaver Application Server ABAP and Java are platforms used to build and run enterprise applications. They serve as the foundation for many SAP business solutions, enabling organizations to manage their operations and data.

What kind of weakness does CVE-2022-22536 represent?

CVE-2022-22536 is a request smuggling vulnerability. This means an attacker can trick a web server into processing unintended requests, potentially by manipulating how HTTP requests are interpreted.

How can an attacker exploit this SAP vulnerability?

An attacker can exploit this by sending a specially crafted request that prepends arbitrary data. This manipulation can cause the server to process subsequent requests in an unexpected way, allowing the attacker to execute functions as a victim or poison web caches.

Who should be concerned about this SAP vulnerability?

Organizations with internet-facing SAP systems are at higher risk. The Halo Surface Signal indicates these products are often deployed at the network edge, making them accessible to external attackers.

What is the first step to address this SAP vulnerability?

The initial step is to identify all affected SAP assets within your environment. Once identified, you should consider reducing their exposure or isolating them until a vendor fix can be applied and verified.

References

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.