SAP NetWeaver Application Server ABAP Memory Corruption Vulnerability Leading to Denial-of-Service

A memory corruption vulnerability has been identified in SAP NetWeaver Application Server ABAP, specifically within the BIC Document application. This vulnerability allows an authenticated attacker to craft requests that can cause memory corruption, leading to crashes of the affected component. Successful exploitation can disrupt the availability of the target component, with multiple submissions potentially causing complete unavailability. Additionally, a similar crafted submission can perform an out-of-bounds read operation, exposing sensitive information loaded in memory at the time. However, this vulnerability does not allow for modification of any information.

Impact

Exploitation of this vulnerability causes memory corruption errors, leading to crashes of the target component. This disruption can be compounded by multiple submissions, causing the component to become completely unavailable. The vulnerability also allows for out-of-bounds read operations, which can reveal sensitive information from memory.

Remediation

Users are advised to review and implement the SAP Security Note associated with this vulnerability. This can be done through the SAP for Me platform, specifically in the Security Notes section. SAP NetWeaver based products also receive security fixes with their support packages.