A note with CVSS 5.9 for component BC-CST-IC was released by SAP on 14.01.2020. The correction/advisory 2848498 was described with "[CVE-2020-6304] Denial of service (DOS) in SAP NetWeaver Internet Communication Manager" and affects the system type Kernel.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is denial of service (dos) within Kernel.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specificationBy sending specially crafted packets to the IIOP or P4 service, an unauthenticated attacker ca caue the ICM process to crash, resulting in an Denial of service attack.
The buffer overflow, resulting into the crach of the ICM process is now detected and programmatically managed.
The advisory is valid for
- KRNL32NUC 7.21 4
- KRNL32NUC 7.21EXT 4
- KRNL32UC 7.21 4
- KRNL32UC 7.21EXT 4
- KRNL64NUC 7.21 4
- KRNL64NUC 7.21EXT 4
- KRNL64NUC 7.22 19
- KRNL64NUC 7.22EXT 19
- KRNL64NUC 7.49 22
- KRNL64UC 7.21 4
- KRNL64UC 7.21EXT 4
- KRNL64UC 7.22 19
- KRNL64UC 7.22EXT 19
- KRNL64UC 7.49 22
- KRNL64UC 7.53 20
- KERNEL 7.21-7.22 4
- KERNEL 7.49 21
- KERNEL 7.53 21
- 7.5 Denial of service (DOS) in SAP Commerce
- 7.5 [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager)
- 7.5 [CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
- 7.5 [CVE-2020-6196] Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService)
- 7.5 [CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service)