On April 22, ReliaQuest released details of a zero-day vulnerability that the company discovered during investigations into customer incidents involving the upload and execution of malicious files in SAP NetWeaver Java systems. According to the findings of the investigation, threat actors were able to take full control of the target systems by exploiting a vulnerability in the Metadata Uploader endpoint within the Development Server of the Visual Composer component in SAP NetWeaver Java. The exploitation involved specific POST requests that led to the installation of JSP webshell files in the directory j2ee/cluster/apps/sap.com/irj/servletjsp/irj/root/. The webshells enabled threat actors to execute remote commands and obtain full control of SAP systems using the privileges of the SAP operating system user <SID>ADM.
The vulnerability was reported to SAP by ReliaQuest. SAP disclosed the vulnerability as CVE-2025-31324 on April 24 and released a patch in security note 3594142. The CVSS score for the CVE is 10/10 and the security note is rated hot news. The patch applies authentication and authorization to prevent unauthorized access and file upload.
Security note 3594142 provides an automated correction for version 7.50 of the Visual Composer Framework in NetWeaver Java systems. In accordance with the general SAP maintenance strategy, patches are only provided for support packages released within the last 24 months. Please refer to the SAP 24-Month Rule for SAP Security Patching for more information regarding the strategy. Versions 7.0-7.40 of SAP NetWeaver Java are no longer maintained by SAP. Mainstream maintenance for version 7.50 is available until the end of 2027. Extended maintenance will be offered until the end of 2030.
Visual Composer is available in all 7.x versions of SAP NetWeaver Java. Workarounds for versions lower than 7.50 are detailed in KBA 3593336. The workarounds include options for disabling Visual Composer, disabling the application alias for the Development Server, or blocking access to the Development Server using either Access Control Lists (ACLs) defined for the Internet Communication Manager (ICM) or URL restrictions implemented using firewall rules.
Layer Seven Security has released an update for the Cybersecurity Extension for SAP to enable the detection of attempted and successful exploitation of CVE-2025-31324 in SAP NetWeaver Java Systems. This includes POST requests to the vulnerable component and discovering the presence of malicious files in target directories. The solution also checks version information for SAP NetWeaver Java to ensure systems are able to apply automated corrections from SAP rather than manual workarounds.
Regular patching is critical for protecting SAP software against security vulnerabilities. Security weaknesses are discovered by SAP through internal testing and testing performed by external researchers. The latter disclose vulnerabilities directly to the SAP Product Security Response Team and through the official SAP bug bounty program.
Once a vulnerability is identified or reported, it is validated and reviewed by SAP. Corrective measures can be automated or manual or a combination of both. Corrections are published as SAP security notes on the second Tuesday of each month. SAP provides several tools for discovering, analyzing and implementing required security notes including the SAP Support Portal, Maintenance Planner, System Recommendations, and Note Assistant.
Security notes are rated by SAP based on the severity of each vulnerability. Hot news notes address the most severe vulnerabilities in SAP solutions. Other severities include high, medium and low. SAP also uses the Common Vulnerability Scoring System (CVSS) to rate vulnerabilities. CVSS is a widely used standardized model for assessing vulnerabilities across all software solutions. CVSS scores of 9.0-10.0 and 7.0-8.9 are considered critical and high, respectively. Most vulnerabilities are scored by SAP using CVSS version 3.0. The CVSS score is based on a complex calculation that includes an assessment of multiple factors such as attack complexity, dependencies, user interaction, and the impact to data confidentiality, integrity, and availability. The values used to rate each factor and determine the score are included in the vector string for each vulnerability.
SAP is a CVE Numbering Authority (CNA). Most security notes are assigned a unique CVE and published by SAP in CVE databases. Therefore, SAP vulnerabilities are publicly disclosed even though SAP security notes can only be accessed through the SAP support portal. Some information in security notes is not publicly available. This includes details of workarounds where customers cannot or choose not to implement automated corrections. However, the majority of security notes do not include workarounds. Many older SAP security notes do not include a CVE. SAP became a CVE Numbering Authority in late 2017 and therefore older SAP vulnerabilities are not publicly disclosed.
There are two types of security notes, patch day notes and support package notes. Patch day notes address all vulnerabilities reported by external researchers, regardless of severity, and hot news vulnerabilities discovered internally by SAP with a very high (9.0+) CVSS rating. Support package notes address high, medium and low severity vulnerabilities discovered by SAP. Support package notes are implemented via SP fixes or upgrades. In accordance with the general SAP maintenance strategy, SAP only delivers support package notes for support packages shipped within the last 24 months. This is referred to as the 24-month rule. The rule took effect on June 11 2019 and extended the previous coverage period for support packages from 18 months. The impact of the rule is that software components patched up to SP levels where the support packages were released more than 24 months ago are not provided with SP fixes to remove low, medium and high severity vulnerabilities discovered internally by SAP. The vulnerabilities can only be addressed by performing an SP upgrade to a support package that is within the 24-month rule.
There are some exceptions to the 24-month rule. Some SAP products adhere to a product-specific maintenance strategy rather than the general strategy. This includes products such as SAP HANA, BW/4HANA, and SAP Kernel. The maintenance strategy for each product is documented in specific SAP notes. For example, note 2378962 includes the revision and maintenance strategy for SAP HANA version 2.0. HANA Support Package Stacks (SPS) that are out of maintenance are detailed in the note.
The Cybersecurity Extension for SAP automatically discovers software components with SP levels outside the 24-month rule. It enables customers to track the lifecycle of support packages to ensure software components are patched up to SP levels that are within the SAP maintenance window. Customers are therefore able to apply fixes for all available SAP security notes.
The Cybersecurity Extension for SAP also monitors SAP HANA to identify systems using Support Package Stacks that are out of maintenance, as well as SAP Kernels using outdated Kernel versions.
Security notes are released by SAP on the second Tuesday of every month to address vulnerabilities in SAP solutions. The vulnerabilities are discovered by external security researchers and reported as part of SAP’s disclosure program. They are also discovered directly by SAP through its’s ongoing research and testing. Security notes are scored by SAP using version 3.0 of the Common Vulnerability Scoring System (CVSS). CVSS generates a score from 0 to 10 based on the severity of the vulnerability. SAP also assigns a priority level for each note. Critical notes are categorized as hot news.
There were over 150 security notes released in 2024 to address vulnerabilities in SAP solutions. The average CVSS score was 5.9. Approximately 1 in 4 of the notes were categorized as hot news or high priority. This article reviews the most important security notes of 2024, based on CVSS score. Hot news notes should be prioritized for implementation. Often, workarounds included in some notes can be applied to mitigate risks if the corrections cannot be applied immediately.
Note 3479478 [CVE-2024-41730] is the one of the highest rated notes of 2024 with a CVSS score of 9.8. The note patches a missing authentication check in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability can be exploited by attackers to compromise logon tickets using a REST endpoint if Single Sign-On is enabled. The property Trusted_Auth_Shared_Secret can be set to Disabled in the effected files to mitigate the vulnerability if BOBJ cannot be upgraded to the required patch level immediately.
Note 3455438 also has a CVSS score of 9.8. The note addresses code injection and remote code execution vulnerabilities in open-source components bundled in SAP CX Commerce. This includes API tools in Swagger UI and database drivers in Apache Calcite Avatica. The solutions referenced in the note remove the vulnerable components in Swagger UI and upgrade Apache Calcite Avatica to the recommended version. There are no workarounds.
Note 3448171 patches CVE-2024-33006 for a critical file upload vulnerability in SAP NetWeaver Application Server ABAP (AS ABAP). The CVE is rated 9.6. The vulnerability can be exploited to bypass malware scanning and completely compromise SAP systems. The correction and workaround detailed in the note apply signature checks for the FILESYSTEM and SOMU_DB content repositories. The vulnerability impacts most version of the SAP_BASIS component in AS ABAP.
Note 3425274 [CVE-2019-10744] patches a code injection vulnerability in SAP Build Apps. The vulnerability arises from specific versions of the Lodash open-source JavaScript library used for programming tasks included in SAP Build Apps. Applications should be rebuilt with version 4.9.145 or later to prevent the vulnerability.
SAP Build Apps is also vulnerable to CVE-2024-29415, a severe Server-Side Request Forgery (SSRF) vulnerability detailed in note 3477196.
Note 3536965 [CVE-2024-47578] addresses SSRF and information disclosure vulnerabilities in Adobe Document Services of SAP NetWeaver AS for JAVA (AS Java). Updating the ADSSAP software component to the recommended patch level will remove the vulnerabilities in the relevant web applications and services in AS Java.
Note 3433192 [CVE-2024-22127] deals with a code injection vulnerability in the Administrator Log Viewer plug-in of AS Java. The vulnerability requires administrative privileges for successful exploitation. Therefore, restricting the use of the Administrators role can mitigate the vulnerability.
Note 3420923 [CVE-2024-22131] patches a vulnerable RFC service in AS ABAP to prevent a critical code injection vulnerability. The workaround in the note recommends restricting access to function modules for CA-SUR using authorization object S_RFC.
Other important notes include 3413475 for multiple CVEs in SAP Edge Integration Cell and 3412456 [CVE-2023-49583] which addresses an escalation of privileges vulnerability in node.js applications created using SAP Business Application Studio, SAP Web IDE Full-Stack or SAP Web IDE for SAP HANA.
The risk of unpatched systems is consistently reported as one of the top three threats to SAP systems in every survey of SAP customers performed by SAPinsider since 2021. Regularly implementing SAP security notes is reported as the most significant action performed by organizations to secure their SAP solutions. Security notes provide include corrections for known vulnerabilities in SAP software. They are released by SAP on Patch Tuesday, the second Tuesday of each month.
Keeping up with SAP patches is reported as the first or second greatest cybersecurity challenge confronted by SAP customers. This is due to several factors including:
High volume of security notes
Maintaining system availability
Validating calculated notes
Scheduling downtime
Prioritizing security notes
Resource constraints
The whitepaper Security Patching for SAP Solutions from Layer Seven Security includes best practices to overcome these challenges. It provides a comprehensive framework for discovering, analyzing and implementing SAP security notes. The whitepaper includes clear and practical recommendations from the leaders in SAP cybersecurity to automate and optimize security patching procedures for SAP.
Maintenance Planner is a cloud solution from SAP that supports the planning and administration of systems in SAP landscapes. It is the successor to Maintenance Optimizer and Landscape Planner and consolidates and simplifies tasks such as system installation, updates, upgrades and conversions.
Maintenance Planner is hosted on the SAP Support Portal. It maintains an inventory of SAP systems in customer landscapes. The inventory can be viewed using the Explore Systems tile.
Landscapes can also be analyzed using graphical topologies in Hybrid Landscape Visualization.
Explore Systems provides detailed software information for each system such as product versions, components and stack levels, as well as tracks and dependencies. Tracks are used to group related systems and streamline maintenance.
Maintenance Planner identifies products that are out of maintenance, third-party add-ons installed in SAP systems, and inconsistencies between displayed software components and installed components in systems. The software information is sourced by Maintenance Planner directly from the Landscape Management Landscape Database (LMDB) in SAP Solution Manager. The information is synchronized with the LMDB every day via the SAP-OSS connection between Solution Manager and SAP Support.
Upgrade Dependency Analyzer (UDA) is integrated with Maintenance Planner to help identify the impact of maintenance tasks in dependant systems. Maintenance Planner identifies and downloads the required software packages for planned upgrades or new systems. It also supports conversion tasks for migration from SAP ERP to S/4HANA. Finally, Maintenance Planner includes guided workflows to discover and integrate SAP cloud solutions.
Maintenance Planner calculates and displays recommended notes for systems in each landscape. The notes are analyzed and managed using the View Recommended Notes tile. It supports searching, filtering, grouping, sorting, and exporting of results. The Calculate Notes option displays relevant notes for selected systems. Notes are grouped by category including Security, Hot News, Performance and Legal Change. You can select a note from the available categories to view the details. CVE, CVSS and vector information is provided for SAP Security Notes.
Maintenance Planner can track the implementation lifecycle of notes using the Processing Status option. The following values are supported for the option:
Transferring: Note is transferred for implementation In Progress: Note implementation is in progress Not Relevant: Invalid or irrelevant note for the system
A Comments field is also included for users to provide additional information related to the implementation status of each note.
Maintenance Planner provides an alternative to System Recommendations for discovering and managing required notes in SAP systems. However, unlike System Recommendations, Maintenance Planner does not identify SAP HANA, Web Dispatcher and platform-related notes. Also, it does not integrate with Change Request Management (ChaRM), Usage and Procedure Logging (UPL), ABAP Call Monitor (SCMON), and Solution Documentation for the full lifecycle management of notes and automated change impact analysis to support test planning.
System Recommendations (SysRec) in SAP Solution Manager automatically calculates relevant security notes for SAP systems based on the available software and application components in each system. It provides a cross-system view for required notes using a customizable, user-friendly interface.
The use of SysRec is recommended by SAP for the lifecycle management of notes. It connects directly to SAP Support to perform a daily or weekly check for new notes. It identifies prerequisite and side-effect notes. It also identifies support packages for notes. Corrections can be downloaded directly through SysRec and staged automatically in systems. SysRec integrates with Change Request Management (ChaRM) for applying notes. It also supports change impact analysis for test planning through integration with the Business Process Change Analyzer (BPCA). Usage statistics for impacted objects are included in SysRec through integration with Usage and Procedure Logging (UPL) and the ABAP Call Monitor (SCMON).
Despite these benefits, there is one major drawback for SysRec. Based on an analysis performed by Layer Seven Security, an average of 30 percent of security notes reported in SysRec are false positives. The notes are irrelevant since the impacted application components are not installed in the relevant SAP systems. The process of manually reviewing notes in SysRec in order to identify and remove false positives is time-consuming, especially for large SAP landscapes. It can also lead to delays in the implementation of corrections to address security vulnerabilities in SAP solutions.
SysRec calculates notes for systems based on software information sourced from the Landscape Managed Database (LMDB) in SAP Solution Manager. The LMDB includes details of software components and versions for each system. This information supports not only SysRec, but Root Cause Analysis and System Monitoring in Solution Manager, and the Maintenance Planner in the SAP Support Portal. The data is synched from the System Landscape Directory (SLD). Therefore, one of the root causes of false positives in SysRec is the incomplete registration of systems in the SLD and synchronization issues between between the SLD and LMDB. Other root causes are job or connection errors during the runtime for the SysRec calculation. The LMDB can be kept in sync with the SLD by using the resynchronization option in the LMDB. Job and connection errors can be identified and alerted for using Job Monitoring and Interface Connection Monitoring in SolMan.
However, system maintenance, synchronization, and monitoring does not remove all false positives in SysRec. This is often a major source of frustration for SAP customers. The Cybersecurity Extension for SAP automatically identifies and removes false positives in SysRec by validating if the application components for notes are installed in SAP systems. Security notes for components that are not installed are marked as ‘Irrelevant’. Irrelevant notes can be removed using filters to improve the quality and reliability of results in System Recommendations.
The Cybersecurity Extension for SAP also enriches SysRec results by including information such as the CVE, CVSS and Vector for each note. This information supports the analysis and prioritizing of security notes based on risk and impact.
SAP Focused Run delivers real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers that need to monitor customer SAP installations from a central platform. It leverages the power of SAP HANA to support centralized monitoring for thousands of systems in high-volume environments. Focused Run is intended to complement SAP Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. However, Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.
This article explores the capabilities of the Advanced Configuration Monitoring (ACM) scenario in Focused Run. Scenarios such as Advanced Event and Alert Management (AEM), Advanced Integration Monitoring (AIM) and Advanced User Monitoring (AUM) will be discussed in later posts. ACM includes Configuration and Security Analytics (CSA), accessed from the Fiori launchpad of Focused Run. CSA enables SAP users to analyze the configuration of applications, databases and hosts and automate audits for security compliance. The following short video from SAP provides a quick introduction to CSA: Advanced Configuration Monitoring
CSA analyzes configuration data collected and transferred via the Simple Diagnostics Agent (SDA) from SAP systems. Focused Run does not include a built-in Business Warehouse (BW). Therefore, unlike Solution Manager, configuration data is stored in HANA database tables starting with CCDB_DATA_ rather than BW InfoCubes. This simplifies the architecture and improves the performance for configuration analysis. The tables are read by the Configuration and Change Database (CCDB). Configuration changes are tracked to support change and trend analysis. This includes changes to security-relevant parameters, services, RFC destinations, and user privileges. The CCDB contains snapshots of SAP systems. The configuration data is structured in containers known as config stores. The stores can be updated every hour to maintain up-to-date snapshots of SAP systems. The stores can be queried using the search option in CSA. The config store below displays the current values for all profile parameters in system FR1.
The following store contains details of user assigned critical profiles. User related stores can be customized to extract details for specific profiles, roles, user types, authorizations, and combinations of roles and authorizations.
CSA can be used to configure and apply policies that analyze config stores to audit systems and automate compliance checks. Policy Maintenance in CSA enables users to create XML policies. Policies can also be converted from target systems in Configuration Validation from SAP Solution Manager. Policies can be exported and imported as XML files or transported between Focused Run installations. SAP recommends limiting the number of checks in single policies to 100 to restrict the number of SQL statements. However, single policies can be combined into composite policies to execute thousands of checks in parallel. In the example below, the composite policy ABAP Parameters includes multiple single policies for reviewing security-relevant parameters in ABAP systems.
In order to apply a generated single or composite policy to audit SAP systems, you must first define the scope of systems. Systems can be grouped by Customer ID, Data Center, IT Admin Role (Environment) and other variables (see below). Customer ID can be used to group systems by company or business group.
The next step is to select and apply the required single or composite policy. The results below summarize the compliance status of systems in the L7_FRUN group against the ABAP Parameters composite policy.
Users can drilldown into the findings for each system to focus on parameters that failed the policy check.
You can click on the icon at the end of each rule to view further details.
The current value of the parameter is displayed in the Value column. The results can be exported to Excel for offline analysis.
Policy checks can be scheduled for hourly, daily or weekly intervals in Policy Management.
The results of the scheduled checks can be displayed in Trend Analysis. This provides a graphical analysis of compliance levels for each interval of the report.
Focused Run does not include the equivalent of System Recommendations in SAP Solution Manager for discovering and applying security notes. SAP periodically publishes policies for security notes to GitHub. The policies can be downloaded and imported into Focused Run to check for the implementation status of relevant notes in each system. This approach can lead to inconsistencies between System Recommendations and Focused Run since calculated notes may not align between the solutions. The Cybersecurity Extension for SAP Focused Run from Layer Seven Security integrates System Recommendations with Focused Run to ensure calculated notes are consistent between both platforms. The CSA policy below displays all security notes calculated by System Recommendations. The results can be filtered by system and priority. With this approach, SAP customers do not need to manually update FRUN with new policies for security notes. Calculated notes are updated automatically daily.
The beta release of the Cybersecurity Extension for SAP Focused Run is scheduled for Q3 2022 and will include additional config stores to supplement the security content in the CCDB, preconfigured single and composite policies for ABAP, HANA and Java systems, and monitoring templates to support alerting for SAP logs including the Security Audit Log and the HANA audit log.
Regularly patching SAP systems is the single most important action you can take to secure business-critical SAP applications from cyber threats. Despite the concern surrounding zero-day vulnerabilities, every known SAP exploit targets existing vulnerabilities patched by SAP through security notes. In other words, there is no evidence of the exploitation of zero-day vulnerabilities for SAP applications. However, there is a multitude of evidence for the exploitation of known vulnerabilities that have been fully patched by SAP.
This includes well-known SAP vulnerabilities such as ICMAD, RECON and 10KBLAZE. Notes 3123396 and 3123427 patch SAP for ICMAD. Note 2934135 secures SAP against RECON exploits. Protection against 10KBLAZE can be applied through notes 1408081, 821875, and 1421005. Some the notes for 10KBLAZE have been available since 2006. This is 13 years before CISA released an alert for the exploits.
Organizations take an average of three months to implement hot news notes for critical SAP vulnerabilities. Yet threat actors can weaponize SAP vulnerabilities within 72 hours of a patch release. Therefore, it is important to minimize the window of opportunity for attackers by rapidly discovering, analyzing and implementing SAP security notes.
Most software tools for SAP patch management automate the discovery of SAP security notes but do not support notes analysis and implementation. System Recommendations (SysRec) is the only solution that supports the full lifecycle of SAP security notes. SysRec is a standard application in SAP Solution Manager, recommended by SAP for patch management. It is automatically enabled during the installation and setup of Solution Manager.
Discovery
For notes discovery, SysRec performs a daily check for the latest security notes. Therefore, customers are notified immediately as soon as new notes are released by SAP. SysRec connects directly to the SAP Support Portal to identify new notes. It calculates relevant notes based on software information for SAP systems stored in the Landscape Management Database (LMDB). The LMDB is synced to the SAP NetWeaver System Landscape Directory (SLD). The SLD is the source of system information in SAP landscapes including installed software components, databases and operating systems and the versions of components and platforms. Notes calculation takes into account the implementation status of notes. Therefore, fully implemented notes are automatically excluded by SysRec.
It is important to note that the results returned by SysRec are based on installed components, regardless of usage. All installed components must be maintained and patched even if they are not actively used since they are part of the attack surface.
System Recommendations is widely used by SAP administrators to manage not only SAP security notes but also correction, legal, performance and other notes. SAP security teams that rely on third party solutions for notes discovery often clash with SAP administrators since security notes returned by their tools do not align with the results of SysRec. SAP administrators are inclined to trust the results of SAP applications such as SysRec over third party solutions. This can lead to disputes and delays within organizations as SAP administration and security teams fail to align on the notes that should be implemented. The risk is avoided when both teams use System Recommendations and are therefore aligned on the required security notes.
Analysis
SysRec supports detailed notes analysis through integration with Usage and Procedure Logging (UPL) and the ABAP Call Monitor (SCMON). UPL and SCMON support change impact analysis by revealing function modules, methods, programs and other objects impacted by security notes before they are applied. It includes usage statistics for impacted objects. This information enables SAP administrators to determine the scope and extent of testing for security notes. Notes impacting many objects with high usage counts may require detailed integration or regression testing. Conversely, notes impacting few objects with low usage counts indicates that customers may be able to employ less complex and more rapid test approaches such as smoke tests. Change impact analysis in SysRec provides the insights required by SAP customers to pinpoint the effect of security notes in SAP systems. This addresses the root cause of long patch cycles that increase the period of vulnerability for SAP systems.
Implementation
System Recommendations enables users to download corrections from the SAP Support Portal directly to the target SAP system. This is performed using the option for Integrated Desktop Actions. The user is prompted to select the target system before the download and can therefore select non-productive SIDs when analyzing notes for productive SIDs. SysRec automatically calls SNOTE in the target system after the download to apply the note.
Integrated Desktop Actions also enables users to create a Request for Change (RfC) in Change and Request Management (ChaRM) for security notes. ChaRM is commonly used by SAP customers to manage the lifecycle of SAP changes and includes workflows to control requests including phases for requirements, approval, testing, and promotion to production.
If you would like to learn more about patching SAP systems using System Recommendations, request a pre-release of Layer Seven Security’s new whitepaper for SAP Security Patching, scheduled for Q3 2022.
International threat intelligence agencies including the U.S Cybersecurity & Infrastructure Security Agency (CISA) and the Computer Emergency Response Team for the EU (CERT-EU) issued security advisories last week for critical vulnerabilities in the SAP Internet Communication Manager (ICM). The ICM supports inbound and outbound communication with SAP systems using the HTTP(S) protocol. It is a standard component of the NetWeaver Application Server ABAP and Java and the SAP Web Dispatcher.
The advisories relate to CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533, labelled ICMAD (Internet Communication Manager Advanced Desync). The most critical is CVE-2022-22536: a memory corruption vulnerability that can be exploited through a single HTTP request to fully compromise SAP systems, remotely and without authentication. This impacts AS ABAP and the Web Dispatcher when they are accessed through an HTTP gateway. For AS ABAP, the gateway could be the Web Dispatcher. The vulnerability does not impact direct access to SAP application servers. CVE-2022-22532 impacts AS Java only. This vulnerability has a lower CVSS than CVE-2022-22536 due to a higher attack complexity, but ranks high in terms of impact to Confidentiality, Integrity, and Availability. CVE-2022-22533 is for a lower priority denial of service vulnerability in AS Java triggered by requests that exhaust Memory Pipes (MPI) used for communicating between the ICM and work processes in application servers.
There is evidence of active scanning for ICMAD. SAP systems exposed to the Internet are especially vulnerable. External-facing Web Dispatchers are equally vulnerable. Consequently, it is critical to apply the relevant security notes to patch SAP systems against ICMAD.
Note 3123396 patches AS ABAP and the Web Dispatcher for CVE-2022-22536. SAP Kernels and Web Dispatchers should be updated to the minimum patch levels detailed in the note. The workaround detailed in note 3137885 can be applied as a stop-gap measure if the patches cannot be implemented at short notice. For access through the Web Dispatcher, refer to 3137885 to ensure that Web Dispatcher installations meet the minimum patch level. To apply the workaround, the profile parameter wdisp/additional_conn_close should be set to TRUE. For more details, refer to note 3138881.
Note 3123427 patches AS Java for CVE-2022-22532 and CVE-2022-22533. The workaround recommended in the note can be applied using the parameter setting icm/handle_http_pipeline_requests=FALSE if support for HTTP pipeline requests is not required.
The Cybersecurity Extension for SAP discovers vulnerable ABAP, Java and Web Dispatcher installations that have not been successfully patched for ICMAD. It also identifies missing or incorrectly applied workarounds if the corrections in notes 3123396 and 3123427 have not been applied. The SAP-certified solution performs over 1800 checks for known vulnerabilities in SAP applications and components and supporting databases and operating systems.
Log4JShell is one of the most dangerous security vulnerabilities in decades. It can be exploited remotely with minimal complexity and without authentication to execute arbitrary code that could lead to the complete compromise of vulnerable applications.
Log4Shell impacts Log4J, a widely installed open-source Java logging utility. A dangerous zero-day remote code execution vulnerability in Log4J was reported in November last year. The vulnerability was patched in December and published in the National Vulnerability Database on December 12 as CVE-2021-44228.
Log4Shell was added to the Known Exploited Vulnerabilities (KEV) Catalog by the Cybersecurity and Infrastructure Security Agency (CISA) due to evidence of widespread active exploitation of the vulnerability by multiple threat actors. This includes nation state groups originating from China, Iran, Russia and North Korea. According to some reports, threat actors are exploiting the vulnerability to deploy ransomware payloads or to gain access to target networks. The access is then brokered to other threat actors.
Log4J is bundled in multiple SAP solutions including products such as SAP HANA and SAP Process Orchestration. Download the new whitepaper from Layer Seven Security to learn to mitigate and detect Log4Shell in SAP applications. The whitepaper includes a detailed breakdown of the vulnerability, guidance for patching and securing SAP solutions, and recommendations for detecting Log4shell signatures and indicators of compromise.
