SAP released patches for a series of vulnerabilities in its software portfolio. Multiple critical Log4j vulnerabilities were resolved.

Most of the vulnerabilities were discovered by security specialist Onapsis. Onapsis found so-called ICMAD vulnerabilities that allow attackers to perform various malicious activities on users, data and processes. Ultimately, these vulnerabilities allow unpatched SAP applications to be compromised.

Vulnerability in HTTP(S) protocol

One of the fixes concerns SAP’s Internet Communication Manager (ICM) protocol. This protocol takes care of the HTTP(S) communication within SAP solutions. Since the protocol is connected to the Internet and untrusted networks by default, any vulnerability can create major risks. With a single request, hackers can obtain all session and authentication data from users in plain text. The data can be manipulated to influence the operations of all affected apps.

According to SAP, there’s no evidence of affected customer systems, meaning the vulnerabilities have likely not been exploited to date. SAP cooperated with Onapsis to develop a tool for customers that scans systems for vulnerabilities. The vulnerabilities have since been patched.

Very critical Log4j vulnerabilities

SAP has also provided patches for several Log4j vulnerabilities. Three of these vulnerabilities were given a max CVE score of 10, an extremely critical indication. SAP customers are advised to implement corresponding patches as soon as possible.