[ERPSCAN-16-005] SAP HANA hdbxsengine JSON – DoS

Application: SAP HANA
Versions Affected: SAP HANA 1.00.095
Vendor URL: http://www.sap.com
Bugs: DoS
Reported: 28.09.2015
Vendor response: 29.09.2015
Date of Public Advisory: 12.01.2016
Reference: SAP Security Note 2241978
Author: Mathieu Geli (ERPScan)


Class: DoS
Impact: Resource consumption
Remotely Exploitable: Yes
Locally Exploitable: No

CVSS Information
CVSS Base Score: 5.0 / 10
CVSS Base Vector:

AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) Low (L)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality None (N)
I : Impact to Integrity Partial (P)
A : Impact to Availability None (N)

Technical description

An unauthenticated attacker might be able to create specially crafted HTTP requests to SAP HANA Extended Application Services Classic debug function.
In addition, specially crafted HTTP requests can consume the available memory buffers and lead to a crash of the XS process. The XS process will be restarted automatically by the SAP HANA system.
Existing data cannot be changed or read by this vulnerability.


SAP HANA 1.00.095
Other versions are probably affected too, but they were not checked.


To correct this vulnerability, install SAP Security Note 2241978


Anonymous attacker can use a special HTTP request to perform a DoS attack to affect SAP HANA Security.


To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: