HTTP request smuggling in SAP NetWeaver

Published: 2022-02-10 | Updated: 2024-09-20

Risk	Critical
Patch available	YES
Number of vulnerabilities	1
CVE-ID	CVE-2022-22536
CWE-ID	CWE-444
Exploitation vector	Network
Public exploit	Vulnerability #1 is being exploited in the wild.
Vulnerable software	SAP NetWeaver AS ABAP Server applications / Application servers SAP NetWeaver AS JAVA Server applications / Application servers SAP Content Server Web applications / CMS SAP Web Dispatcher WEBDISP Server applications / Other server solutions
Vendor	SAP

Security Bulletin

This security bulletin contains one critical risk vulnerability.

1) Inconsistent interpretation of HTTP requests

EUVDB-ID: #VU78958

Risk: Critical

CVSSv4.0: 9.3 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:A/U:Red]

CVE-ID: CVE-2022-22536

CWE-ID: CWE-444 - Inconsistent Interpretation of HTTP Requests ('HTTP Request Smuggling')

Exploit availability: Yes

Description

The vulnerability allows a remote attacker to perform HTTP request smuggling attacks.

The vulnerability exists due to improper validation of HTTP requests. A remote attacker can prepend a victim's request with arbitrary data and execute functions impersonating the victim or poison intermediary Web caches.

Successful exploitation of the vulnerability can result in full system compromise.

Mitigation

Install updates from vendor's website.

Vulnerable software versions

SAP NetWeaver AS ABAP: 753

SAP NetWeaver AS JAVA: 7.53

SAP Content Server: 7.53

SAP Web Dispatcher WEBDISP: 7.53

CPE2.3

External links

https://launchpad.support.sap.com/#/notes/3123396
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

Yes. This vulnerability is being exploited in the wild.