SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3080567
was released on
14.09.2021 and deals with
"[CVE-2021-38162] HTTP Request Smuggling in SAP Web Dispatcher" within Kernel.
We advice you to follow the instructions, to resolve
code injection denial of service (dos) information disclosure
high potential for exploitation
in component BC-CST-WDP.
According to SAP Security Advisory team a workaround exists. It is advisable to implement the correction as monthly patch process.
Risk specificationSAP Web Dispatcher allows an authenticated attacker to submit a malicious request to a front-end server which leads after several attempts the back-end server confusing the boundaries of malicious and legitimate messages. This can result in the back-end server executing a malicious payload that can be used to read or modify any information on the server or making it temporarily unavailable.
The SAP Web Dispatcher has been fixed to prevent this code injection vulnerability. Alternativly, the consulting team has proposed the following: "As temporary workaround, block requests with malformed header (for Details refere to Note for more details).". The suggestion may be considered, as a workaround or compensating mitigation. We recommend installing/applying the correction wherever possible and as soon as possible. Base your decision on whether or not to apply the patch on your companies and systems risk perspective and consider the provided CVSS 8.9 score.