A note with CVSS 5.3 for component BC-CST-MS was released by SAP on 10.05.2022. The correction/advisory 3145702 was described with "[CVE-2022-29616] Memory Corruption vulnerability in SAP Host Agent, SAP NetWeaver and ABAP Platform" and affects the system type SAP Host AgentKernel.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is denial of service (dos) within SAP Host AgentKernel.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specificationSAP Host Agent, SAP NetWeaver and ABAP Platform, allow an unauthenticated attacker to leverage logical errors in memory management to cause memory corruption which impacts service availability.
The Out-of-bounds write access is prevented by checking the value length to be a positive integer. Customer needs to get msg_server from scs.sar and sapstartsrv either from scs.sar, sapwebdisp.sar or sapexe.sar. Also an update to the newest SAP Host Agent is necessary.
The advisory is valid for
- KERNEL 7.22 14
- KERNEL 7.49 21
- KERNEL 7.53 21
- KERNEL 7.77 19
- KERNEL 7.81 18
- KERNEL 7.85 11
- KERNEL 7.86 10
- KERNEL 7.87 7
- KERNEL 7.88 4
- KERNEL 8.04 9
- KRNL64NUC 7.22 18
- KRNL64NUC 7.22EXT 18
- KRNL64NUC 7.49 21
- KRNL64UC 7.22 18
- KRNL64UC 7.22EXT 18
- KRNL64UC 7.49 21
- KRNL64UC 7.53 18
- KRNL64UC 8.04 9
- SAPHOSTAGENT 7.22 5
- 7.5 Denial of service (DOS) in SAP Commerce
- 7.5 [CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
- 7.5 [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager)
- 7.5 [CVE-2020-6196] Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService)
- 7.5 [CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service)