SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3148094
was released on
12.04.2022 and deals with
"[CVE-2022-27670] Denial of service (DOS) in SQL Anywhere" within Sybase.
We advice you to follow the instructions, to resolve
denial of service (dos)
medium potential for exploitation
in component BC-SYB-SQA.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as part of maintenance.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specificationSQL Anywhere allows an authenticated attacker to prevent legitimate users from accessing a SQL Anywhere database server by crashing the server with some queries that use indirect identifiers.
SQL Anywhere has been updated to prevent the denial of service vulnerability
The advisory is valid for
- SYBASE_SQL_ANYWHERE_SERVER 17.0
- 7.5 [CVE-2020-6196] Denial of service (DOS) in SAP BusinessObjects Mobile (MobileBIService)
- 7.5 Denial of service (DOS) in SAP Commerce
- 7.5 [CVE-2022-28772]Denial of service (DOS) in SAP Web Dispatcher and SAP Netweaver (Internet Communication Manager)
- 7.5 [CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
- 7.5 [CVE-2021-33670] Denial of Service (DoS) in SAP NetWeaver AS for Java (Http Service)