0001678387
TRANSCRIPT
7/24/2019 0001678387
http://slidepdf.com/reader/full/0001678387 1/3
SAP Security Note
Header Data
Symptom
l An attacker can remotely exploit the Web container (servlet_jsp), rendering it, and potentiallythe resources that are used to serve AS Java (J2EE), unavailable.
l After an HTTP request, one of the following errors is observed:
There are too many parameters in the request. Maximum number of parameters in therequest 1000 was exceeded. Check SAP note 1678387 for further information.
Cannot parse the parameters of the request. Maximum number of parameters 5000 wasexceeded.
Other Terms
DoS, denial of service, number of parameters, servlet_jsp, web container,
Reason and Prerequisites
The problem is caused by a resource exhaustion condition. An attacker can launch a specificallycrafted request that causes the process to consume excessive resources. As a result, no otherprocesses can allocate new resources, rendering the system unavailable. This condition can beintentionally provoked by an attacker to cause a denial of service.
Solution
l Update to the latest version of AS Java (J2EE). If this not possible, apply one of the patcheslisted in SP Patch Level Section of the note.
l After the patch has been applied, depending on the application logic, one of the two errormessages from Symptom could be observed. In this case, increase the value of propertyMaxParameterCount. Setting values higher than 10000 is not recommended. Default value forversions 6.40, 7.00, 7.01, 7.02, 7.03 is 1000, for systems 7.10, 7.10 EHP1, 7.20, 7.30 andsubsequent is 5000. To change the value of the property, follow the steps below:
1. Open the Config tool. For systems 7.10 - 7.3x, enable Expert mode from View menu.
2. Go to cluster-data -> Global server configuration or template -... -> service -> servlet_jsp
3. Click on the MaxParameterCount
4. In the Value field, type the new value e.g. 7000
5. Choose Set Custom value and Save button in the top-right corner.
6. Restart the cluster.
Validity
1678387 - Potential denial of service in AS Java Web container
Version 3 Validity: 20.08.2012 - active Language English (Master)
Released On 21.08.2012 16:27:50
Release Status Released for Customer
Component BC-JAS-WEB Web Container, HTTP, JavaMail, Servlets
Priority Correction with high priorityCategory Program error
Externally Reported Yes
Software Component From Rel. To Rel. And SubsequentENGINEAPI 7.10 7.11
7.20 7.20
7.30 7.30
7.31 7.31
SAP-JEECOR 7.00 7.00
6.40 6.40
7.01 7.02
7/24/2019 0001678387
http://slidepdf.com/reader/full/0001678387 2/3
Causes - Side Effects
Support Packages & Patches
Notes / Patches corrected with this note
Note Reason From Version To Version Note Solution Version Support Package
The table does not contain any entries
The following SAP Notes correct this Note / Patch
Note Reason From Version To Version Note Solution Version Support Package
1678387 0 0 1963520 1
1678387 0 0 1980331 1
Support Package Patches
Software Component Support Package Patch Level
ENGINEAPI 7.10 SP012 000010
SP013 000007
SP014 000005
SP015 000000
SP016 000000 ENGINEAPI 7.11 SP006 000014
SP007 000013
SP008 000010
SP009 000008
SP010 000000
SP011 000000
ENGINEAPI 7.20 SP004 000017
SP005 000012
SP006 000008
SP007 000004
SP008 000000
ENGINEAPI 7.30 SP002 000007 SP003 000015
SP004 000011
SP005 000011
SP007 000008
SP008 000000
ENGINEAPI 7.31 SP001 000008
SP002 000006
SP003 000005
SP004 000001
SP005 000000
SAP J2EE ENGINE 6.40 SP020 000002
SP026 000031 SP027 000027
SP028 000015
SP029 000009
SP030 000001
SAP J2EE ENGINE CORE 6.40 SP031 000000
SAP J2EE ENGINE CORE 7.00 SP023 000021
SP024 000015
SP025 000013
SP026 000011
SP027 000001
SP028 000000
SAP J2EE ENGINE CORE 7.01 SP007 000029 SP008 000020
SP009 000017
SP010 000016
SP011 000013
SP012 000000
SP013 000000
SAP J2EE ENGINE CORE 7.02 SP005 000018
7/24/2019 0001678387
http://slidepdf.com/reader/full/0001678387 3/3
ReferencesThis document refers to:
SAP Notes
This document is referenced by:
SAP Notes (3)
SP006 000024
SP007 000019
SP008 000018
SP009 000017
SP010 000012
SP011 000013
SP012 000000
SP013 000000
1880668 Mass data input issue when using planning application
1830931 iViews Result set getting iViews Runtime Exception
1830931 iViews Result set getting iViews Runtime Exception
2012181 Mass data limitation in planning application
1880668 Mass data input issue when using planning application