SAP and Arvato Systems collaboration
SAP and Arvato Systems plan to invest in a sovereign cloud platform for the German administration. The new cloud offering must meet specific national requirements as part of the German cloud strategy, the two companies say. Under the new proposal, there will be no dependence on networks outside of Germany – both data processing and data storage, as well as the operation of all services, take place in the Federal Republic. There is also a complete separation from Microsoft’s global data centers and the existing public cloud infrastructure in Germany.
The technical offering is based on the proven Microsoft Azure cloud platform and can provide both Microsoft services and SAP enterprise solutions and applications.
SAP releases February 2022 security updates
On February 8th, SAP released 19 security updates, including 14 new fixes. Three of the vulnerabilities related to log4j and had a CVSS of 10 – note# 3142773, note #3130920, note #3139893.
CVE-2022-22536 is a memory pipes (MPI) desynchronization vulnerability that received the highest CVSS score of 10.0. The flaw gives the attacker the opportunity to impersonate the victim. The exploitation of CVE-2022-22536 uses an un-auth HTTP request smuggling bug that can be used to steal SAP session data and credentials.
Another important vulnerability with 9,1 score CVSS is CVE-2022-22544 – Missing segregation of duties in SAP Solution Manager Diagnostics Root Cause Analysis Tools. A threat actor could use the flaw to control managed systems, and execute commands leading to sensitive information disclosure, loss of system integrity and denial-of-service.
CVE-2022-22532 is a HTTP request smuggling vulnerability according to SAP in the ICM component. However, Onapsis lists it as a use after free vulnerability. This vulnerability only exists in SAP NetWeaver Java systems. It received a CVSSv3 score of 8.1 and does not require authentication or user interaction to exploit.