CVE-2022-22532: 
SAP NetWeaver Application Server ABAP vulnerability analysis and mitigation

CVE-2022-22532 is a critical vulnerability affecting SAP NetWeaver Application Server Java across multiple versions (KRNL64NUC 7.22, 7.22EXT, 7.49, KRNL64UC, 7.22, 7.22EXT, 7.49, 7.53, KERNEL 7.22, 7.49, 7.53). The vulnerability allows an unauthenticated attacker to submit crafted HTTP server requests that trigger improper shared memory buffer handling (NVD, CVE).

The vulnerability is classified as an HTTP request smuggling issue (CWE-444) with a CVSS v3.1 base score of 9.8 (CRITICAL). It can be exploited without authentication and particularly affects systems without an HTTP proxy. The vulnerability is part of a broader set of flaws known collectively as ICMAD, affecting the Internet Communication Manager (ICM) component used by many SAP applications (SecurityWeek).

Successful exploitation of this vulnerability could allow attackers to execute malicious payloads, impersonate victims, and steal logon sessions. The impact extends to potential theft of user credentials and personal information, exfiltration of sensitive data, fraudulent financial transactions, and system disruption (SecurityWeek).

Organizations are strongly advised to apply the security patches released by SAP as part of their February 2022 Security Patch Day. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has urged organizations to implement these patches immediately. Onapsis has provided an open-source tool to identify vulnerable systems that require patching (CISA).