SAP takes the security of its vast product portfolio very seriously and thus releases security fixes for
vulnerabilities reported by external researchers and their customers every second Tuesday of the month.
SAP Note 3229987
was released on
08.11.2022 and deals with
"[CVE-2022-41259] Denial of service (DOS) in SAP SQL Anywhere" within Sybase platform.
We advice you to follow the instructions, to resolve
denial of service (dos)
medium potential for exploitation
in component BC-SYB-SQA.
According to SAP Security Advisory team a workaround does not exist. It is advisable to implement the correction as part of maintenance.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specificationSAP SQL Anywhere allows an authenticated attacker to prevent legitimate users from accessing a SQL Anywhere database server by crashing the server with some queries that use an ARRAY constructor.
SQL Anywhere has been updated to prevent the denial of service vulnerability
The advisory is valid for