It is rare to see vulnerabilities with the maximum CVSS score of 10 out of 10, but SAP’s February security patch bundle fixes four of them along with details of a serious vulnerability named ICMAD.
Three of the critical vulnerabilities in SAPs February Security Advisory are fixing Log4j related issues. The fourth critical vulnerability (CVE-2022-22536) affects the SAP Internet Communication Manager and also requires immediate attention.
The SAP Internet Communication Manager (ICM) is a core component of SAP NetWeaver business applications and is present in most SAP products.
An unauthenticated attacker can exploit this vulnerability by using request smuggling and request concatenation techniques to prepend a victim’s request with arbitrary data. This allows the attacker to execute functions impersonating the victim or poison intermediary Web caches.