New critical vulnerabilities in SAP Internet Communication Manager require immediate attention

Discussion Topics

The Onapsis Research Labs identified three critical vulnerabilities in a memory handling mechanism which can lead to full system takeover, if exploited by an attacker. Leveraging the most critical vulnerability (CVSSv3 10.0) is simple, requires no previous authentication, no preconditions are necessary, and the payload can be sent through HTTP(S), the most widely used network service to access SAP applications. Therefore, unpatched SAP NetWeaver Applications (JAVA/ABAP), reachable through HTTP(S) are vulnerable to this issue, as well as any application sitting behind SAP Web Dispatcher, such as S/4HANA.This document provides an overview on these critical vulnerabilities and how to ensure your organization is protected.