On 08.02.2022 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Kernel.
SAP Note 3116223 addresses "[CVE-2022-22543] Denial of service (DOS) in SAP NetWeaver Application Server for ABAP (Kernel) and ABAP Platform (Kernel)" to prevent denial of service (dos) with a low risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specificationThis note has been re-released with updated ‘Support Packages & Patches’ information. SAP NetWeaver Application Server ABAP and ABAP Platform Kernels do allow an unauthenticated attacker to crash the work process and thus creating a denial of service.
The kernel now properly validates Extended Passport (EPP) information, and therefore no longer crashes on receipt of a malformed EPP.
The advisory is valid for
- KERNEL 7.22 11
- KERNEL 7.49 17
- KERNEL 7.53 18
- KERNEL 7.77 16
- KERNEL 7.81 15
- KERNEL 7.85 8
- KERNEL 7.86 7
- KERNEL 7.87 4
- KERNEL 8.04 8
- KRNL64NUC 7.22 15
- KRNL64NUC 7.22EXT 15
- KRNL64NUC 7.49 17
- KRNL64UC 7.22 15
- KRNL64UC 7.22EXT 15
- KRNL64UC 7.49 17
- KRNL64UC 7.53 15
- KRNL64UC 8.04 8
- 7.5 Denial of service (DOS) in SAP Commerce
- 7.5 [CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
- 7.5 [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager)
- 7.5 [CVE-2020-6196] Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService)
- 7.5 [CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service)