[ERPSCAN-16-017] SAP JAVA AS icman – DoS vulnerability

Application: SAP JAVA AS
Versions Affected: SAP JAVA AS 7.2 – 7.4
Vendor URL: SAP
Bugs: Denial of Service
Reported: 04.12.2015
Vendor response: 05.12.2015
Date of Public Advisory: 14.03.2016
Reference: SAP Security Note 2256185
Author: Dmitry Yudin (ERPScan) @ret5et

Vulnerability Information

Class: denial of service
Impact: denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-3979
CVSS Information
CVSS Base Score v3: 7.5/10
CVSS Base Vector:

AV : Attack Vector (Related exploit range) Network (N)
AC : Attack Complexity (Required attack complexity) Low (L)
PR : Privileges Required (Level of privileges needed to exploit) None (N)
UI : User Interaction (Required user participation) None (N)
S : Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C : Impact to Confidentiality None (N)
I : Impact to Integrity None (N)
A : Impact to Availability High (H)


Internet Communication Manager (ICMAN/ICM) in SAP JAVA AS 7.4 allows remote attackers to cause a denial of service (possible heap corruption IctParseCookies()) via a crafted HTTP request

Business risk

A denial of service vulnerability can terminate a process of the vulnerable component. As a result, nobody can use this service, which has a negative influence on business processes. System downtime also harms business reputation.


SAP NetWeaver AS JAVA 7.2- 7.4
Other versions are probably affected too, but they were not checked.


To correct this vulnerability, install SAP Security Note 2256185


Anonymous attacker can use a special HTTP request to cause a denial of service in SAP AS JAVA.

Proof of Concept