CVE-2022-22536 Overview
CVE-2022-22536 is a critical HTTP Request Smuggling vulnerability affecting SAP NetWeaver Application Server ABAP, SAP NetWeaver Application Server Java, ABAP Platform, SAP Content Server 7.53, and SAP Web Dispatcher. This vulnerability enables unauthenticated attackers to prepend arbitrary data to a victim's HTTP request, allowing them to execute functions while impersonating the victim or poison intermediary web caches. The flaw stems from improper handling of HTTP requests (CWE-444: Inconsistent Interpretation of HTTP Requests), which can lead to complete compromise of system confidentiality, integrity, and availability.
Critical Impact
This vulnerability has been added to the CISA Known Exploited Vulnerabilities (KEV) catalog, indicating active exploitation in the wild. With a maximum CVSS score of 10.0 and an EPSS probability of 93.833%, this represents one of the most severe SAP vulnerabilities disclosed, requiring immediate remediation.
Affected Products
- SAP NetWeaver Application Server ABAP (versions 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 8.04, and various kernel versions)
- SAP Web Dispatcher (versions 7.22ext, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87)
- SAP Content Server 7.53
Discovery Timeline
- February 9, 2022 - CVE-2022-22536 published to NVD
- November 3, 2025 - Last updated in NVD database
Technical Details for CVE-2022-22536
Vulnerability Analysis
This HTTP Request Smuggling vulnerability exploits inconsistencies in how front-end and back-end servers parse HTTP requests. The SAP Web Dispatcher, which acts as a reverse proxy, and the application servers behind it interpret HTTP request boundaries differently. This discrepancy allows attackers to "smuggle" malicious requests through the Web Dispatcher to the back-end servers.
The vulnerability is particularly dangerous because it requires no authentication and can be exploited remotely over the network. When successfully exploited, an attacker can hijack user sessions, bypass security controls, access sensitive data, and potentially execute arbitrary commands on the affected systems. The scope is changed (S:C in CVSS vector), meaning the vulnerability can affect resources beyond its security scope.
Root Cause
The root cause is classified as CWE-444: Inconsistent Interpretation of HTTP Requests, commonly known as "HTTP Request Smuggling." The vulnerability occurs because the SAP Web Dispatcher and back-end application servers handle certain HTTP headers (such as Content-Length and Transfer-Encoding) differently. This allows attackers to craft specially formatted requests that are interpreted one way by the Web Dispatcher and another way by the back-end servers, enabling request concatenation attacks.
Attack Vector
The attack is network-based and requires no user interaction or privileges. An attacker sends a specially crafted HTTP request to the SAP Web Dispatcher that contains embedded data designed to be prepended to subsequent legitimate user requests. The Web Dispatcher processes the visible portion of the request while the hidden, smuggled portion is forwarded to and interpreted differently by the back-end server.
This enables several attack scenarios:
- Session Hijacking: The attacker's smuggled request can capture or manipulate victim session tokens
- Cache Poisoning: Malicious content can be injected into web caches, affecting multiple users
- Credential Theft: Sensitive authentication data can be intercepted
- Privilege Escalation: Actions can be performed with the victim's privileges
Detection Methods for CVE-2022-22536
Indicators of Compromise
- Unusual HTTP request patterns in SAP Web Dispatcher access logs, particularly requests with conflicting Content-Length and Transfer-Encoding headers
- Unexpected session behavior or unauthorized transactions appearing in SAP audit logs
- Evidence of cache poisoning with malicious content being served to legitimate users
- Anomalous backend server responses that don't correlate with frontend requests
Detection Strategies
- Deploy web application firewall (WAF) rules to detect and block HTTP request smuggling attempts with conflicting length headers
- Monitor SAP Web Dispatcher logs for requests containing both Content-Length and Transfer-Encoding headers or malformed chunked encoding
- Implement network intrusion detection signatures for known HTTP smuggling patterns targeting SAP systems
- Enable enhanced SAP security audit logging and review for suspicious cross-user activity patterns
Monitoring Recommendations
- Configure real-time alerting for any HTTP requests with ambiguous length specifications hitting SAP Web Dispatcher
- Establish baseline network traffic patterns and alert on deviations in request structure or volume to SAP systems
- Monitor SAP ICM (Internet Communication Manager) logs for request processing anomalies
- Implement behavioral analytics to detect session hijacking or impersonation attempts
How to Mitigate CVE-2022-22536
Immediate Actions Required
- Apply the security patches referenced in SAP Note #3123396 immediately across all affected systems
- Review the SAP Security Document for comprehensive remediation guidance
- Conduct a security assessment to determine if systems have been compromised prior to patching
- Isolate vulnerable SAP systems from untrusted networks until patches can be applied
Patch Information
SAP has released security patches to address this vulnerability. Administrators should apply the patches documented in SAP Note #3123396. Given the critical severity and active exploitation status confirmed by CISA's inclusion in the Known Exploited Vulnerabilities Catalog, patching should be treated as an emergency priority.
The patches address the HTTP request parsing inconsistencies between the SAP Web Dispatcher and back-end application servers, ensuring uniform interpretation of request boundaries.
Workarounds
- Implement strict WAF rules to normalize and validate all HTTP requests before they reach SAP systems, rejecting requests with ambiguous length specifications
- Configure the SAP Web Dispatcher to enforce strict HTTP protocol compliance and reject malformed requests
- Place additional reverse proxy layers with robust HTTP parsing in front of SAP Web Dispatcher as an interim measure
- Restrict network access to SAP systems to only trusted IP ranges and implement network segmentation
# Example: SAP Web Dispatcher profile parameter to enhance HTTP strict parsing
# Add to instance profile or DEFAULT.PFL
# Note: Consult SAP documentation for your specific version
icm/HTTP/strict_request_line = TRUE
icm/HTTP/check_malformed_request = TRUE
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
