Denial of service in SAP NetWeaver

Published: 2017-10-11 14:03:27
Severity Low
Patch available YES
Number of vulnerabilities 1
CVSSv2 3.7 (AV:N/AC:L/Au:N/C:N/I:N/A:P/E:U/RL:OF/RC:C)
CVSSv3 4.6 [CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RL:O/RC:C]
CVE ID CVE-2017-9845
CWE ID CWE-400
Exploitation vector Network
Public exploit Not available
Vulnerable software SAP NetWeaver
Vulnerable software versions SAP NetWeaver 7.4
Vendor URL SAP
Advisory type Public

Security Advisory

1) Resource exhaustion

Description

The vulnerability allows a remote attacker to cause DoS condition on the target system.

The vulnerability exists in SAP NetWeaver Dynpro Engine due to improper handling of DIAG requests by the disp+work process port. A remote attacker can send a specially crafted DIAG request, trigger resource exhaustion and cause the service to crash.

Remediation

Install update from vendor's website.

External links

https://launchpad.support.sap.com/#/notes/2405918

Back to List