7/24/2019 0001678387

http://slidepdf.com/reader/full/0001678387 1/3

SAP Security Note 

Header Data

Symptom 

l An attacker can remotely exploit the Web container (servlet_jsp), rendering it, and potentiallythe resources that are used to serve AS Java (J2EE), unavailable.

l After an HTTP request, one of the following errors is observed:

There are too many parameters in the request. Maximum number of parameters in therequest 1000 was exceeded. Check SAP note 1678387 for further information. 

Cannot parse the parameters of the request. Maximum number of parameters 5000 wasexceeded. 

Other Terms 

DoS, denial of service, number of parameters, servlet_jsp, web container,

Reason and Prerequisites 

The problem is caused by a resource exhaustion condition. An attacker can launch a specificallycrafted request that causes the process to consume excessive resources. As a result, no otherprocesses can allocate new resources, rendering the system unavailable. This condition can beintentionally provoked by an attacker to cause a denial of service.

Solution 

l Update to the latest version of AS Java (J2EE). If this not possible, apply one of the patcheslisted in SP Patch Level Section of the note.

l After the patch has been applied, depending on the application logic, one of the two errormessages from Symptom could be observed. In this case, increase the value of propertyMaxParameterCount. Setting values higher than 10000 is not recommended. Default value forversions 6.40, 7.00, 7.01, 7.02, 7.03 is 1000, for systems 7.10, 7.10 EHP1, 7.20, 7.30 andsubsequent is 5000. To change the value of the property, follow the steps below:

1. Open the Config tool. For systems 7.10 - 7.3x, enable Expert mode from View menu.

2. Go to cluster-data -> Global server configuration or template -... -> service -> servlet_jsp

3. Click on the MaxParameterCount

4. In the Value field, type the new value e.g. 7000

5. Choose Set Custom value and Save button in the top-right corner.

6. Restart the cluster.

Validity

1678387 - Potential denial of service in AS Java Web container  

Version  3 Validity: 20.08.2012 - active Language  English (Master)

Released On  21.08.2012 16:27:50

Release Status  Released for Customer

Component  BC-JAS-WEB Web Container, HTTP, JavaMail, Servlets

Priority  Correction with high priorityCategory  Program error

Externally Reported Yes

Software Component From Rel. To Rel. And SubsequentENGINEAPI  7.10  7.11  

7.20  7.20  

7.30  7.30  

7.31  7.31  

SAP-JEECOR  7.00  7.00  

6.40  6.40  

7.01  7.02  

7/24/2019 0001678387

http://slidepdf.com/reader/full/0001678387 2/3

Causes - Side Effects

Support Packages & Patches

Notes / Patches corrected with this note

Note Reason From Version To Version Note Solution Version Support Package

The table does not contain any entries

The following SAP Notes correct this Note / Patch

Note Reason From Version To Version Note Solution Version Support Package

1678387 0 0 1963520 1

1678387 0 0 1980331 1

Support Package Patches

Software Component Support Package Patch Level

ENGINEAPI 7.10  SP012  000010

 SP013  000007

 SP014  000005

 SP015  000000

 SP016  000000 ENGINEAPI 7.11  SP006  000014

 SP007  000013

 SP008  000010

 SP009  000008

 SP010  000000

 SP011  000000

 ENGINEAPI 7.20  SP004  000017

 SP005  000012

 SP006  000008

 SP007  000004

 SP008  000000

 ENGINEAPI 7.30  SP002  000007 SP003  000015

 SP004  000011

 SP005  000011

 SP007  000008

 SP008  000000

 ENGINEAPI 7.31  SP001  000008

 SP002  000006

 SP003  000005

 SP004  000001

 SP005  000000

 SAP J2EE ENGINE 6.40  SP020  000002

 SP026  000031 SP027  000027

 SP028  000015

 SP029  000009

 SP030  000001

 SAP J2EE ENGINE CORE 6.40  SP031  000000

 SAP J2EE ENGINE CORE 7.00  SP023  000021

 SP024  000015

 SP025  000013

 SP026  000011

 SP027  000001

 SP028  000000

 SAP J2EE ENGINE CORE 7.01  SP007  000029 SP008  000020

 SP009  000017

 SP010  000016

 SP011  000013

 SP012  000000

 SP013  000000

 SAP J2EE ENGINE CORE 7.02  SP005  000018

7/24/2019 0001678387

http://slidepdf.com/reader/full/0001678387 3/3

 

ReferencesThis document refers to:

SAP Notes 

This document is referenced by:

SAP Notes (3) 

SP006  000024

 SP007  000019

 SP008  000018

 SP009  000017

 SP010  000012

 SP011  000013

 SP012  000000

 SP013  000000

1880668 Mass data input issue when using planning application 

1830931 iViews Result set getting iViews Runtime Exception 

1830931 iViews Result set getting iViews Runtime Exception 

2012181 Mass data limitation in planning application 

1880668 Mass data input issue when using planning application