Advisory
A note with CVSS 5.9 for component BC-CST-IC was released by SAP on 14.01.2020. The correction/advisory 2848498 was described with "[CVE-2020-6304] Denial of service (DOS) in SAP NetWeaver Internet Communication Manager" and affects the system type Kernel.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is denial of service (dos) within Kernel.
Denial of Service (DoS) attacks that take a system offline may lead to significant cost for the company, studies quantify the costs in average between 4 and 5 millions dollars. Business continuity requires SAP systems staying online. The CVSS scores or vulnerability descriptions are not enough to represent how a simple bug can lead to a significant loss for companies.
Risk specification
By sending specially crafted packets to the IIOP or P4 service, an unauthenticated attacker ca caue the ICM process to crash, resulting in an Denial of service attack.Solution
The buffer overflow, resulting into the crach of the ICM process is now detected and programmatically managed.
The advisory is valid for
- KRNL32NUC 7.21 5
- KRNL32NUC 7.21EXT 5
- KRNL32UC 7.21 5
- KRNL32UC 7.21EXT 5
- KRNL64NUC 7.21 5
- KRNL64NUC 7.21EXT 5
- KRNL64NUC 7.22 30
- KRNL64NUC 7.22EXT 30
- KRNL64NUC 7.49 24
- KRNL64UC 7.21 5
- KRNL64UC 7.21EXT 5
- KRNL64UC 7.22 30
- KRNL64UC 7.22EXT 30
- KRNL64UC 7.49 24
- KRNL64UC 7.53 36
- KERNEL 7.21-7.22 5
- KERNEL 7.49 23
- KERNEL 7.53 36
- 9.8 Multiple vulnerabilities associated with Reprise License Manager 14.2 component used with SAP 3D Visual Enterprise License Manager
- 7.8 [CVE-2023-33990] Denial of service (DOS) vulnerability in SAP SQL Anywhere
- 7.7 [CVE-2023-35871] Memory Corruption vulnerability in SAP Web Dispatcher
- 7.5 Denial of service (DOS) in SAP Commerce
- 7.5 [CVE-2020-6186] Denial of Service (DOS) Vulnerability in SAP Host Agent
