SAP’s Patch Tuesday brought fixes for a trio of flaws in the ubiquitous ICM component in internet-exposed apps. One of them, with a risk score of 10, could allow attackers to hijack identities, steal data and more.
There’s a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager (ICM): the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other.
Also on Tuesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory about the bugs.
Security researchers from Onapsis – the security firm that specializes in security for SAP, Oracle, Salesforce, and other software-as-a-service (SaaS) platforms and that discovered the bugs – joined SAP in coordinating the release of a Threat Report describing the critical vulnerabilities onTuesday.
As of Tuesday, Onapsis Research Labs had estimated that there were tens of thousands – approximately 40,000 – SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications.
The vulnerabilities are tracked as CVE-2022-22536, CVE-2022-22532 and CVE-2022-22533. The first CVE, addressed in Security Note 3123396, received the tip-top risk score – a 10 out