Find those exploitable SAP CISA Binding Operational Directive (BOD) 22-01 vulnerabilities!
On November 3 2021, the Cybersecurity and Infrastructure Security Agency of the United States government (CISA) has issued Binding Operational Directive (BOD) 22-01, The directive establishes a CISA managed catalog of known exploited vulnerabilities and requires federal civilian agencies to identify and remediate these vulnerabilities on their information systems.
Although BOD 22-01 requires action from federal civilian agencies only, CISA strongly recommends that private businesses and state, local, tribal, and territorial (SLTT) governments review and monitor the catalog and remediate the listed vulnerabilities to strengthen their security and resilience posture. Building collective resilience requires action across all stakeholders.
The list currently contains the following SAP related vulnerabilities that have been actively exploited in the wild:
| CVE | Description | SAP Note | Protect4S Check |
| CVE-2010-5326 | SAP NetWeaver AS JAVA RCE (Invoker Servlet) | 1445998 | SN-JS-0006-01 |
| CVE-2016-3976 | SAP NetWeaver AS Java Directory Traversal Vulnerability | 2234971 | SN-JS-0115-01 |
| CVE-2016-9563 | SAP NetWeaver AS JAVA XXE Vulnerability | 2296909 | SN-JS-0178-01 |
| CVE-2018-2380 | SAP NetWeaver AS JAVA CRM RCE | 2547431 | SN-JS-0248-01 |
| CVE-2020-6207 | SAP Solution Manager (User Experience Monitoring) | 2890213 | SN-JS-0312-01 |
| CVE-2020-6287 | SAP NetWeaver AS JAVA (LM Configuration Wizard) | 2934135 | SN-JS-0324-01 |
Protect4S supports this initiative and has created a new security template that will be updated in line with CISA, making it possible for SAP Customers to quickly determine whether they comply to this directive.
This new template will be distributed with Protect4S 6 Support package 2 coming December.
For more SAP security-related news, articles, and whitepapers, please follow us on LinkedIn!
Try out Protect4S for 1 month for free or request a demo!
