2081977 – (CVE-2021-33670) CVE-2021-33670 SAP-NetWeaver: Denial of Service in SAP NetWeaver JAVA

Bug 2081977 (CVE-2021-33670) - CVE-2021-33670 SAP-NetWeaver: Denial of Service in SAP NetWeaver JAVA

Summary: CVE-2021-33670 SAP-NetWeaver: Denial of Service in SAP NetWeaver JAVA

Keywords:
Status:	CLOSED NOTABUG
Alias:	CVE-2021-33670
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	high
Severity:	high
Target Milestone:	---
Assignee:	Red Hat Product Security
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:	2081978
TreeView+	depends on / blocked

Reported:	2022-05-05 06:51 UTC by Avinash Hanwate
Modified:	2023-02-27 13:57 UTC (History)
CC List:	32 users (show)
Fixed In Version:
Clone Of:
Environment:
Last Closed:	2022-05-06 21:41:47 UTC
Embargoed:

Attachments	(Terms of Use)

Description Avinash Hanwate 2022-05-05 06:51:00 UTC

SAP Netweaver Java has a stack of standard J2EE filters responsible to do some controls and statistical operations over each received request. The
vulnerability exists because one of those filters is keeping information about the different HTTP methods received by the server, but it is not properly controlling how much memory it needs to store that information. After sending a specially crafted request, an attacker is able to make that filter raise an OutOfMemoryError, making the virtual machine crash.

References:
- https://onapsis.com/blog/sap-security-patch-day-july-2021-serious-vulnerabilities-sap-netweaver-java-fixed
- Vendor Patch: https://launchpad.support.sap.com/#/notes/3056652

Note You need to log in before you can comment on or make changes to this bug.

aileenc
avibelli
bgeorges
chazlett
clement.escoffier
dandread
dkreling
drieden
ggaughan
gmalinko
gsmet
hamadhan
hbraun
janstey
jnethert
jochrist
jschatte
jwon
krathod
lthon
mszynkie
pantinor
pdelbell
peholase
pgallagh
pjindal
probinso
rareddy
rruss
rsvoboda
sbiarozk
sdouglas