• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1677291 - Potential denial of service in Web Application Components

Главная Специалистам База уязвимостей Note 1677291 - Potential denial of service in Web Application Components

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1677291-1) SAP Support Packages (SAP_KERNEL_640_32_BIT_SP405_000405, SAP_KERNEL_640_32_BIT_SP999999_999999, SAP_KERNEL_640_32_BIT_UNICODE_SP405_000405, SAP_KERNEL_640_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_640_64_BIT_SP405_000405, SAP_KERNEL_640_64_BIT_SP999999_999999, SAP_KERNEL_640_64_BIT_UNICODE_SP405_000405, SAP_KERNEL_640_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_640_EX2_32_BIT_SP405_000405, SAP_KERNEL_640_EX2_32_BIT_SP999999_999999, SAP_KERNEL_640_EX2_32_BIT_UC_SP405_000405, SAP_KERNEL_640_EX2_32_BIT_UC_SP999999_999999, SAP_KERNEL_640_EX2_64_BIT_SP405_000405, SAP_KERNEL_640_EX2_64_BIT_SP999999_999999, SAP_KERNEL_640_EX2_64_BIT_UC_SP405_000405, SAP_KERNEL_640_EX2_64_BIT_UC_SP999999_999999, SAP_KERNEL_700_32_BIT_SP344_000344, SAP_KERNEL_700_32_BIT_SP999999_999999, SAP_KERNEL_700_32_BIT_UNICODE_SP344_000344, SAP_KERNEL_700_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_700_64_BIT_SP344_000344, SAP_KERNEL_700_64_BIT_SP999999_999999, SAP_KERNEL_700_64_BIT_UNICODE_SP344_000344, SAP_KERNEL_700_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_701_32_BIT_SP188_000188, SAP_KERNEL_701_32_BIT_SP999999_999999, SAP_KERNEL_701_32_BIT_UNICODE_SP188_000188, SAP_KERNEL_701_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_701_64_BIT_SP188_000188, SAP_KERNEL_701_64_BIT_SP999999_999999, SAP_KERNEL_701_64_BIT_UNICODE_SP188_000188, SAP_KERNEL_701_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_710_32_BIT_SP273_000273, SAP_KERNEL_710_32_BIT_SP999999_999999, SAP_KERNEL_710_32_BIT_UNICODE_SP273_000273, SAP_KERNEL_710_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_710_64_BIT_SP273_000273, SAP_KERNEL_710_64_BIT_SP999999_999999, SAP_KERNEL_710_64_BIT_UNICODE_SP273_000273, SAP_KERNEL_710_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_711_32_BIT_SP160_000160, SAP_KERNEL_711_32_BIT_SP999999_999999, SAP_KERNEL_711_32_BIT_UNICODE_SP160_000160, SAP_KERNEL_711_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_711_64_BIT_SP160_000160, SAP_KERNEL_711_64_BIT_SP999999_999999, SAP_KERNEL_711_64_BIT_UNICODE_SP160_000160, SAP_KERNEL_711_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_720_32_BIT_SP217_000217, SAP_KERNEL_720_32_BIT_SP999999_999999, SAP_KERNEL_720_32_BIT_UNICODE_SP217_000217, SAP_KERNEL_720_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_720_64_BIT_SP217_000217, SAP_KERNEL_720_64_BIT_SP999999_999999, SAP_KERNEL_720_64_BIT_UNICODE_SP217_000217, SAP_KERNEL_720_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_721_32_BIT_SP010_000010, SAP_KERNEL_721_32_BIT_SP999999_999999, SAP_KERNEL_721_32_BIT_UNICODE_SP010_000010, SAP_KERNEL_721_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_721_64_BIT_SP010_000010, SAP_KERNEL_721_64_BIT_SP999999_999999, SAP_KERNEL_721_64_BIT_UNICODE_SP010_000010, SAP_KERNEL_721_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_721_EXT_32_BIT_SP010_000010, SAP_KERNEL_721_EXT_32_BIT_SP999999_999999, SAP_KERNEL_721_EXT_32_BIT_UC_SP010_000010, SAP_KERNEL_721_EXT_32_BIT_UC_SP999999_999999, SAP_KERNEL_721_EXT_64_BIT_SP010_000010, SAP_KERNEL_721_EXT_64_BIT_SP999999_999999, SAP_KERNEL_721_EXT_64_BIT_UC_SP010_000010, SAP_KERNEL_721_EXT_64_BIT_UC_SP999999_999999)
Описание
The problem is caused by a resource exhaustion condition. An attacker  can launch a specifically crafted request that causes the process to  consume excessive resources. As a result, no other processes can  allocate new resources, rendering the system unavailable. This condition  can be intentionally provoked by an attacker to cause a denial of service.
Как исправить
A kernel patch is provided that introduces the profile parameter "ict/max_form_fields", effectively limiting the maximum number of form fields per HTTP request processed by the HTTP parser thereby eliminating the vulnerability due to the aforementioned hash table collision attacks. The default value of the parameter is 5000 and can be changed either dynamically via transaction RZ11 or by editing the application server instance's start profile.
Please apply the patch level mentioned in this note.
Ссылки