On 13.07.2021 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Java.
SAP Note 3056652 addresses "[CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service)" to prevent denial of service (dos) with a high risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specificationSAP NetWeaver AS Java Http Service allows an attacker to prevent legitimate users from accessing a service, either by crashing or flooding the service.
The affected system component provides proper validation of the HTTP request before storing monitoring data.
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- SERVERCORE 7.10 10
- SERVERCORE 7.11 10
- SERVERCORE 7.20 10
- SERVERCORE 7.30 10
- SERVERCORE 7.31 10
- SERVERCORE 7.40 10
- SERVERCORE 7.50 10