[ERPSCAN-16-018] SAP JAVA AS jstart – DoS vulnerability

Application: SAP JAVA AS
Versions Affected: SAP JAVA AS 7.2 – 7.4
Vendor URL: SAP
Bugs: Denial of Service
Reported: 04.12.2015
Vendor response: 05.12.2015
Date of Public Advisory: 14.03.2016
Reference: SAP Security Note 2259547
Author: Dmitry Yudin (ERPScan) @ret5et

Vulnerability Information

Class: denial of service
Impact: denial of service
Remotely Exploitable: Yes
Locally Exploitable: No
CVE: CVE-2016-3980
CVSS Information
CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged (U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to Availability High (H)


The Java Startup Framework (jstart) in SAP JAVA AS 7.4 allows remote attackers to cause a denial of service via a crafted HTTP request.

Business risk

A denial of service vulnerability can terminate a process of the vulnerable component. As a result, nobody can use this service, which has a negative influence on business processes. System downtime also harms business reputation.


SAP NetWeaver AS JAVA 7.2- 7.4
Other versions are probably affected too, but they were not checked.


To correct this vulnerability, install SAP Security Note 2259547


Anonymous attacker can use a special HTTP request to cause denial of service in SAP AS JAVA.

Proof of Concept