CVE-2022-29612

Name of the Vulnerable Software and Affected Versions SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04 SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KRNL64NUC 7.22, 7.22EXT, 7.49 SAP NetWeaver, ABAP Platform and SAP Host Agent - versions KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04 SAP NetWeaver, ABAP Platform and SAP Host Agent - versions SAPHOSTAGENT 7.22

Description The issue allows an authenticated user to misuse a function of sapcontrol web functionality, specifically the startservice function in Kernel, enabling malicious users to retrieve otherwise restricted technical information, such as system number or physical address. This causes a limited impact on the confidentiality of the application.

Recommendations For versions KERNEL 7.22, 7.49, 7.53, 7.77, 7.81, 7.85, 7.86, 7.87, 7.88, 8.04, consider restricting access to the sapcontrol web functionality to minimize the risk of exploitation. For versions KRNL64NUC 7.22, 7.22EXT, 7.49, restrict the use of the startservice function in Kernel until a fix is available. For versions KRNL64UC 7.22, 7.22EXT, 7.49, 7.53, 8.04, avoid using the sapcontrol web functionality until the issue is resolved. For versions SAPHOSTAGENT 7.22, disable the vulnerable function as a temporary workaround until a patch is available.