SAP publishes security-relevant patches for its applications in February 2022. Interesting this time: comparatively many gaps are closed that have a high criticality.

Gaps in SAP Webdispatcher and SAP Kernel

SAP describes in note 3123396 the vulnerability CVE-2022-22536, which applies to all NetWeaver and S/4 HANA systems with web access. It does not matter whether the HTTP client accesses via one or more SAP Webdispatcher, another HTTP gateway or via a backup proxy. The attacker exploiting this vulnerability is able to impersonate a web cache and in the worst case compromise the system. Direct HTTP access to the SAP system is not at risk.

Administrators are urged to patch

It is strongly recommended to perform an SAP Kernel Update and to update the SAP Webdisptacher to the latest version.