Advisory
On 12.04.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Kernel.
SAP Note 3111311 addresses "[CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager)" to prevent denial of service (dos) with a high risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specification
By overlong input values an attacker may force overwrite of the internal program stack in SAP Web Dispatcher or Internet Communication Manager, which makes these programs unavailable.Solution
The affected code has been updated to properly validate input values
The advisory is valid for
- KERNEL 7.53 22
- KERNEL 7.77 21
- KERNEL 7.81 20
- KERNEL 7.85 13
- KERNEL 7.86 10
- KRNL64UC 7.53 21
- SAP_EXTENDED_APP_SERVICES 1 5
- WEBDISP 7.53 8
- WEBDISP 7.77 8
- WEBDISP 7.81 7
- WEBDISP 7.85 4
- WEBDISP 7.86 3
- XS_ADVANCED_RUNTIME 1.00 5
- 7.5 Denial of service (DOS) in SAP Commerce
- 7.5 [CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service)
- 7.5 [CVE-2020-6196] Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService)
- 7.5 [CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
- 6.5 [CVE-2022-27670] Denial of service (DOS) in SQL Anywhere