CVE-2022-28772 – CVE-2022-28772 is a stack-based buffer overflow... (How to Fix)

Q: What is the severity of CVE-2022-28772?

CVE-2022-28772 has a CVSS score of 7.5 (HIGH). CVE-2022-28772 is a stack-based buffer overflow vulnerability in SAP Web Dispatcher and Internet Communication Manager. Attackers can send overlong input values to overwrite the program stack, causing denial of service. Organizations running affected SAP versions are vulnerable.

📋 TL;DR

CVE-2022-28772 is a stack-based buffer overflow vulnerability in SAP Web Dispatcher and Internet Communication Manager. Attackers can send overlong input values to overwrite the program stack, causing denial of service. Organizations running affected SAP versions are vulnerable.

💻 Affected Systems

Products:

SAP Web Dispatcher
SAP Internet Communication Manager

Versions: SAP Web Dispatcher: 7.53, 7.77, 7.81, 7.85, 7.86; SAP ICM: KRNL64NUC 7.22, 7.22EXT, 7.49; KRNL64UC 7.22, 7.22EXT, 7.49, 7.53; KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86

Operating Systems: All platforms running affected SAP versions

Default Config Vulnerable: ⚠️ Yes

Notes: Affects both Web Dispatcher and ICM components across multiple SAP kernel versions. Systems with these components exposed to untrusted input are vulnerable.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Complete service disruption of SAP Web Dispatcher or ICM, potentially affecting all SAP applications behind these components, with possible remote code execution if stack corruption leads to arbitrary code execution.

🟠

Likely Case

Denial of service causing SAP Web Dispatcher or ICM to crash, making SAP applications unavailable until services are restarted.

🟢

If Mitigated

Limited impact with proper network segmentation and input validation controls in place, potentially preventing exploitation attempts from reaching vulnerable components.

🌐 Internet-Facing: HIGH

🏢 Internal Only: MEDIUM

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specially crafted overlong input values to vulnerable components. No authentication is required if the vulnerable service is network-accessible.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Apply SAP Security Note 3111311 patches

Vendor Advisory: https://launchpad.support.sap.com/#/notes/3111311

Restart Required: Yes

Instructions:

1. Download and apply SAP Security Note 3111311 patches from SAP Support Portal. 2. Apply patches to affected SAP Web Dispatcher and ICM installations. 3. Restart SAP Web Dispatcher and ICM services. 4. Verify patch application by checking version information.

🔧 Temporary Workarounds

Network Segmentation

all

Restrict network access to SAP Web Dispatcher and ICM components to trusted sources only

Input Validation

all

Implement additional input validation and length checking at network perimeter devices

🧯 If You Can't Patch

Implement strict network access controls to limit exposure of SAP Web Dispatcher and ICM to only necessary trusted sources
Deploy web application firewalls or intrusion prevention systems with rules to detect and block overlong input attempts

🔍 How to Verify

Check if Vulnerable:

Check SAP kernel and Web Dispatcher versions against affected version lists. Use SAP transaction SM51 to view system information.

Check Version:

On SAP system: Execute 'disp+work' command or check via SAP GUI transaction SM51

Verify Fix Applied:

Verify SAP Security Note 3111311 is applied by checking SAP Note application status or confirming kernel version is updated beyond affected versions.

📡 Detection & Monitoring

Log Indicators:

SAP Web Dispatcher or ICM crash logs
Abnormal termination messages in SAP system logs
Error messages related to buffer overflow or stack corruption

Network Indicators:

Unusually large HTTP/SOAP requests to SAP Web Dispatcher
Multiple connection attempts with overlong parameter values
Sudden service unavailability patterns

SIEM Query:

source="sap_logs" AND ("Web Dispatcher crash" OR "ICM terminated" OR "buffer overflow")

📊 Metadata

CVE ID: CVE-2022-28772

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-121

Published: April 12, 2022

Last Updated: November 21, 2024

🔗 References

https://launchpad.support.sap.com/#/notes/3111311 Permissions Required,Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory
https://launchpad.support.sap.com/#/notes/3111311 Permissions Required,Vendor Advisory
https://www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-28772, you might also want to check these:

📋 TL;DR

💻 Affected Systems

📦 What is this software?

Netweaver by Sap

Netweaver by Sap

Netweaver by Sap

Netweaver by Sap

Netweaver by Sap

Netweaver by Sap

Netweaver by Sap

Netweaver by Sap

Netweaver by Sap

Netweaver by Sap

Web Dispatcher by Sap

Web Dispatcher by Sap

Web Dispatcher by Sap

Web Dispatcher by Sap

Web Dispatcher by Sap

⚠️ Risk & Real-World Impact

Worst Case

Likely Case

If Mitigated

🎯 Exploit Status

🛠️ Fix & Mitigation

✅ Official Fix

Instructions:

🔧 Temporary Workarounds

Network Segmentation

Input Validation

🧯 If You Can't Patch

🔍 How to Verify

Check if Vulnerable:

Check Version:

Verify Fix Applied:

📡 Detection & Monitoring

Log Indicators:

Network Indicators:

SIEM Query:

📊 Metadata

🔗 References

📤 Share & Export

🔗 Related Vulnerabilities