• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1678387 - Potential denial of service in AS Java Web container

Главная Специалистам База уязвимостей Note 1678387 - Potential denial of service in AS Java Web container

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1678387-3) SAP Support Packages (ENGINEAPI_710_SP012_000010, ENGINEAPI_710_SP013_000007, ENGINEAPI_710_SP014_000005, ENGINEAPI_710_SP015_000000, ENGINEAPI_710_SP016_000000, ENGINEAPI_710_SP999999_999999, ENGINEAPI_711_SP006_000014, ENGINEAPI_711_SP007_000013, ENGINEAPI_711_SP008_000010, ENGINEAPI_711_SP009_000008, ENGINEAPI_711_SP010_000000, ENGINEAPI_711_SP011_000000, ENGINEAPI_711_SP999999_999999, ENGINEAPI_720_SP004_000017, ENGINEAPI_720_SP005_000012, ENGINEAPI_720_SP006_000008, ENGINEAPI_720_SP007_000004, ENGINEAPI_720_SP008_000000, ENGINEAPI_720_SP999999_999999, ENGINEAPI_730_SP002_000007, ENGINEAPI_730_SP003_000015, ENGINEAPI_730_SP004_000011, ENGINEAPI_730_SP005_000011, ENGINEAPI_730_SP007_000008, ENGINEAPI_730_SP008_000000, ENGINEAPI_730_SP999999_999999, ENGINEAPI_731_SP001_000008, ENGINEAPI_731_SP002_000006, ENGINEAPI_731_SP003_000005, ENGINEAPI_731_SP004_000001, ENGINEAPI_731_SP005_000000, ENGINEAPI_731_SP999999_999999, SAP_J2EE_ENGINE_640_SP020_000002, SAP_J2EE_ENGINE_640_SP026_000031, SAP_J2EE_ENGINE_640_SP027_000027, SAP_J2EE_ENGINE_640_SP028_000015, SAP_J2EE_ENGINE_640_SP029_000009, SAP_J2EE_ENGINE_640_SP030_000001, SAP_J2EE_ENGINE_640_SP999999_999999, SAP_J2EE_ENGINE_CORE_640_SP031_000000, SAP_J2EE_ENGINE_CORE_640_SP999999_999999, SAP_J2EE_ENGINE_CORE_700_SP023_000021, SAP_J2EE_ENGINE_CORE_700_SP024_000015, SAP_J2EE_ENGINE_CORE_700_SP025_000013, SAP_J2EE_ENGINE_CORE_700_SP026_000011, SAP_J2EE_ENGINE_CORE_700_SP027_000001, SAP_J2EE_ENGINE_CORE_700_SP028_000000, SAP_J2EE_ENGINE_CORE_700_SP999999_999999, SAP_J2EE_ENGINE_CORE_701_SP007_000029, SAP_J2EE_ENGINE_CORE_701_SP008_000020, SAP_J2EE_ENGINE_CORE_701_SP009_000017, SAP_J2EE_ENGINE_CORE_701_SP010_000016, SAP_J2EE_ENGINE_CORE_701_SP011_000013, SAP_J2EE_ENGINE_CORE_701_SP012_000000, SAP_J2EE_ENGINE_CORE_701_SP013_000000, SAP_J2EE_ENGINE_CORE_701_SP999999_999999, SAP_J2EE_ENGINE_CORE_702_SP005_000018, SAP_J2EE_ENGINE_CORE_702_SP006_000024, SAP_J2EE_ENGINE_CORE_702_SP007_000019, SAP_J2EE_ENGINE_CORE_702_SP008_000018, SAP_J2EE_ENGINE_CORE_702_SP009_000017, SAP_J2EE_ENGINE_CORE_702_SP010_000012, SAP_J2EE_ENGINE_CORE_702_SP011_000013, SAP_J2EE_ENGINE_CORE_702_SP012_000000, SAP_J2EE_ENGINE_CORE_702_SP013_000000, SAP_J2EE_ENGINE_CORE_702_SP999999_999999)
Описание
The problem is caused by a resource exhaustion condition. An attacker  can launch a specifically crafted request that causes the process to  consume excessive resources. As a result, no other processes can  allocate new resources, rendering the system unavailable. This condition  can be intentionally provoked by an attacker to cause a denial of service.
Как исправить
Update to the latest version of AS Java (J2EE). If this not possible, apply one of the patches listed in SP Patch Level Section of the note.
After the patch has been applied, depending on the application logic, one of the two error messages from Symptom could be observed. In this case, increase the value of property MaxParameterCount. Setting values higher than 10000 is not recommended. Default value for versions 6.40, 7.00, 7.01, 7.02, 7.03 is 1000, for systems 7.10, 7.10 EHP1, 7.20, 7.30 and subsequent is 5000. To change the value of the property, follow the steps below:
1. Open the Config tool. For systems 7.10 - 7.3x, enable Expert mode from View menu.
2. Go to cluster-data -> Global server configuration or template -... -> service -> servlet_jsp
3. Click on the MaxParameterCount
4. In the Value field, type the new value e.g. 7000
5. Choose Set Custom value and Save button in the top-right corner.
6. Restart the cluster.
Ссылки