SAP NetWeaver and ABAP Platform command execution | CVE-2022-27668
NAME
SAP NetWeaver and ABAP Platform command execution
- Platforms Affected:
SAP NetWeaver ABAP Platform KRNL64NUC 7.49
SAP NetWeaver ABAP Platform KRNL64UC 7.49
SAP NetWeaver ABAP Platform KERNEL 7.49
SAP NetWeaver ABAP Platform KERNEL 7.77
SAP NetWeaver ABAP Platform KERNEL 7.81
SAP NetWeaver ABAP Platform KERNEL 7.85
SAP NetWeaver ABAP Platform KERNEL 7.86
SAP NetWeaver ABAP Platform KERNEL 7.87
SAP NetWeaver ABAP Platform KERNEL 7.88
SAP NetWeaver ABAP Platform SAP_ROUTER 7.22
SAP NetWeaver ABAP Platform SAP_ROUTER 7.53 - Risk Level:
8.6 - Exploitability:
Unproven - Consequences:
Gain Access
DESCRIPTION
SAP NetWeaver and ABAP Platform could allow a remote attacker to execute arbitrary commands on the system, caused by improper access control by the configuration of the route permission table in file saprouttab. By sending a specially-crafted request, an attacker could exploit this vulnerability to execute arbitrary SAProuter administration commands on the system.
CVSS 3.0 Information
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Access Vector: Network
- Access Complexity: Low
- Confidentiality Impact: Low
- Integrity Impact: Low
- Availability Impact: High
- Remediation Level: Official Fix
MITIGATION
Current SAP customers should refer to SAP note 3158375 for patch information, available from the SAP Web site (login required). See References.
- Reference Link:
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html - Reference Link:
https://launchpad.support.sap.com/
If you like the site, please consider joining the telegram channel and supporting us on Patreon using the button below.
