CVE-2022-22536: 
SAP NetWeaver Application Server ABAP vulnerability analysis and mitigation

CVE-2022-22536 is a critical vulnerability discovered in SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher. The vulnerability was disclosed on February 8, 2022, and involves request smuggling and request concatenation in the Internet Communication Manager (ICM) component (CISA Alert, NVD).

The vulnerability is a memory pipes (MPI) desynchronization vulnerability, also known as ICMAD (Internet Communication Manager Advanced Desync). It received the highest possible CVSS v3.1 score of 10.0 (Critical) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H. The vulnerable ICM component is present in most SAP products and is a critical part of the overall SAP technology stack, being exposed by default in most deployments (Tenable Blog).

A successful exploitation of this vulnerability could result in complete compromise of system Confidentiality, Integrity, and Availability. Organizations could experience theft of sensitive data, financial fraud, disruption of mission-critical business processes, ransomware, and halt of all operations (CISA Alert).

SAP released security updates to address this vulnerability as part of its February 2022 Security Patch Day. The fixes are documented in SAP Security Notes 3123396 and 3123427. Organizations should review SAP's February 2022 Security Updates page and apply necessary patches (Tenable Blog).

The Cybersecurity and Infrastructure Security Agency (CISA) issued an immediate warning about this vulnerability, emphasizing its critical nature and potential impact on organizations. Security researchers at Onapsis, who discovered the vulnerability, worked in coordination with SAP to disclose the flaw and released a threat report along with an open-source tool to identify vulnerable systems (CISA Alert).