On 8th of February 2022, SAP Security Patch Day a vulnerability in the Internet communication manager (ICM) was disclosed.

SAP released the security note 3123396 and later on the FAQ note 3148968. The workarounds are described in note 3137885.

After gathering and evaluating all current available information, I came to the following recommendation for remediating this vulnerability in the various affected scenarios:

For ABAP systems or SAP Content Server behind SAP Web Dispatcher:

1. SAP Web Dispatcher has to be patched and the parameter wdisp/additional_conn_close=TRUE has to be set in the SAP Web Dispatcher.

If a request passes through multiple SAP Web Dispatchers on its way, then the workaround must be implemented in all SAP Web Dispatchers of this chain.

2. The SAP Kernel in all application servers and SAP Content Server has to be patched to the minimum required patch level.

3. After patching the SAP Kernel in all application servers, the parameter wdisp/additional_conn in the SAP Web Dispatcher is no longer necessary must be reverted.

For ABAP systems with integrated SAP Web Dispatcher:

1. The SAP Kernel of all application servers has to be updated. No workaround available!

For JAVA systems behind SAP Web Dispatcher:

1. SAP Web Dispatcher has to be patched and the request modification rules have to be configured in the SAP Web Dispatcher in the file which is defined by parameter icm/HTTP/mod_<x> as described in SAP note 3137885 and the parameter icm/HTTP/support_http2=FALSE has to be set.

If a request passes through multiple SAP Web Dispatchers on its way, then the workaround must be implemented in all SAP Web Dispatchers of this chain.

2. The SAP Kernel in all application servers has to be patched to the minimum required patch level.

3. After patching the SAP Kernel in all application servers, both the request modification rules and the parameter icm/HTTP/support_http2 in the SAP Web Dispatcher are no longer necessary and must be reverted.

For ABAP or JAVA systems systems or SAP Content Server behind load balancer / reverse proxy from other vendors:

1. The SAP Kernel in all application servers and SAP Content Server has to be patched to the minimum required patch level (in this case steps 2. and 3. are to be omitted) or

the request modification rules have to be configured in the ABAP/JAVA system and SAP Content Server in the file which is defined by parameter icm/HTTP/mod_<x> as described in SAP note 3137885.

2. The SAP Kernel in all application servers and SAP Content Server has to be patched to the minimum required patch level.

3. After patching the SAP Kernel in all application servers and SAP Content Server, the request modification rules are no longer necessary and must be reverted.

You may consider to apply the last one also to directly accessible systems, depending on your risk appetite.

For each scenario, point 1. should be performed as soon as possible.