SAP Security Notes, April 2022
The central note 3170990 consolidates security notes for the critical Spring4Shell vulnerability. Spring4Shell is addressed by CVE-2022-22965. This is related to a remote code execution vulnerability in the open-source Java Spring Framework. Successful exploitation requires Apache Tomcat for serving applications built as a WAR file. Notes 3189428, 3187290, 3189429, 3189635 and 3171258 patch Sping4Shell in multiple SAP Solutions including SAP HANA Extended Application Services, PowerDesigner Web and SAP Commerce.
Hot news notes 3022622 and 3158613 fix a code injection vulnerability in SAP Manufacturing Integration and Intelligence. The vulnerability can be exploited by threat actors to escalate privileges and execute OS commands. The notes block the saving of Java Server Pages (JSP) through the SSCE (Self Service Composition Environment).
Note 3111311 provides solutions for a high priority Denial of Service vulnerability in the Web Dispatcher and Internet Communication Manager. The vulnerability is caused by a program error related to parameter icm/HTTP/file_access. The parameter defines static file access for URL prefixes and the target directory for static files.