CVE-2022-22543
📋 TL;DR
CVE-2022-22543 is a denial-of-service vulnerability in SAP NetWeaver ABAP Kernel where insufficient validation of SAP-Passport information allows unauthenticated remote attackers to crash the SAP Web Dispatcher or Kernel work processes. This affects organizations running vulnerable versions of SAP NetWeaver Application Server for ABAP and ABAP Platform. The crashed processes can be restarted automatically, but repeated attacks could cause service disruption.
💻 Affected Systems
- SAP NetWeaver Application Server for ABAP (Kernel)
- SAP ABAP Platform (Kernel)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Sustained attacks could cause repeated crashes of critical SAP components, leading to extended service unavailability and business process disruption.
Likely Case
Intermittent service disruptions affecting SAP applications, requiring process restarts and potentially impacting user productivity.
If Mitigated
Minimal impact with proper network segmentation and monitoring; crashed processes restart automatically without data loss.
🎯 Exploit Status
No public exploit code available, but the vulnerability is straightforward to exploit by sending malformed SAP-Passport data to vulnerable endpoints.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apply SAP Security Note 3116223
Vendor Advisory: https://launchpad.support.sap.com/#/notes/3116223
Restart Required: Yes
Instructions:
1. Download SAP Note 3116223 from SAP Support Portal. 2. Apply the kernel patch according to SAP's standard patching procedures. 3. Restart affected SAP instances to activate the fix.
🔧 Temporary Workarounds
Restrict SAP-Passport Traffic
allConfigure network firewalls to block or restrict SAP-Passport traffic from untrusted sources to vulnerable SAP systems.
Disable SAP-Passport if Not Required
allIf SAP-Passport functionality is not needed for your landscape, disable it in SAP system configuration.
Transaction RZ11: Set parameter sap-pas/active = 0
🧯 If You Can't Patch
- Implement strict network segmentation to isolate SAP systems from untrusted networks
- Deploy web application firewall (WAF) rules to filter SAP-Passport related traffic
🔍 How to Verify
Check if Vulnerable:
Check kernel version using Transaction SM51 or OS command 'disp+work' and compare against affected versions list.Check Version:
On OS level: 'disp+work -version' or in SAP GUI: Transaction SM51 -> Release NotesVerify Fix Applied:
Verify SAP Note 3116223 is applied using Transaction SNOTE or check kernel patch level.📡 Detection & Monitoring
Log Indicators:
- Kernel work process dumps in dev_w* traces
- SAP Web Dispatcher crash logs
- Abnormal process termination in system logs
Network Indicators:
- Unusual SAP-Passport traffic patterns
- Repeated connection attempts to SAP-Passport endpoints
SIEM Query:
source="sap_logs" AND ("work process terminated" OR "kernel dump" OR "shortdump")