Vulnerability Name:

CVE-2014-0995 (CCN-97610)

Assigned:2014-10-16
Published:2014-10-16
Updated:2018-12-13
Summary:The Standalone Enqueue Server in SAP Netweaver 7.20, 7.01, and earlier allows remote attackers to cause a denial of service (uncontrolled recursion and crash) via a trace level with a wildcard in the Trace Pattern.
CVSS v3 Severity:5.3 Medium (CCN CVSS v3.1 Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L)
Exploitability Metrics:Attack Vector (AV): Network
Attack Complexity (AC): Low
Privileges Required (PR): None
User Interaction (UI): None
Scope:Scope (S): Unchanged
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Low
CVSS v2 Severity:5.0 Medium (CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.9 Low (Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Authentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
5.0 Medium (CCN CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P)
3.9 Low (CCN Temporal CVSS v2 Vector: AV:N/AC:L/Au:N/C:N/I:N/A:P/E:POC/RL:OF/RC:C)
Exploitability Metrics:Access Vector (AV): Network
Access Complexity (AC): Low
Athentication (Au): None
Impact Metrics:Confidentiality (C): None
Integrity (I): None
Availibility (A): Partial
Vulnerability Type:CWE-20
Vulnerability Consequences:Denial of Service
References:Source: MISC
Type: Third Party Advisory
http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition/

Source: MITRE
Type: CNA
CVE-2014-0995

Source: MISC
Type: Exploit, Third Party Advisory, VDB Entry
http://packetstormsecurity.com/files/128726/SAP-Netweaver-Enqueue-Server-Trace-Pattern-Denial-Of-Service.html

Source: CCN
Type: Full Disclosure Mailing List, Thu, 16 Oct 2014 14:42:51 -0300
SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability

Source: FULLDISC
Type: Exploit, Mailing List, Third Party Advisory
20141016 [CORE-2014-0007] -SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability

Source: SECUNIA
Type: Third Party Advisory
60950

Source: MISC
Type: Exploit, Third Party Advisory
http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability

Source: BUGTRAQ
Type: Third Party Advisory, VDB Entry
20141016 [CORE-2014-0007] -SAP Netweaver Enqueue Server Trace Pattern Denial of Service Vulnerability

Source: CCN
Type: BID-70613
SAP NetWeaver CVE-2014-0995 Denial of Service Vulnerability

Source: XF
Type: Third Party Advisory, VDB Entry
netweaver-trace-pattern-dos(97610)

Source: XF
Type: UNKNOWN
netweaver-trace-pattern-dos(97610)

Source: CCN
Type: Packet Storm Security [10-16-2014]
SAP Netweaver Enqueue Server Trace Pattern Denial Of Service

Source: CCN
Type: SAP Web site
SAP Support Note 2042845

Source: CONFIRM
Type: Broken Link
https://twitter.com/SAP_Gsupport/status/522750365780160513

Source: EXPLOIT-DB
Type: EXPLOIT
Offensive Security Exploit Database [10-17-2014]

Vulnerable Configuration:Configuration 1:
  • cpe:/a:sap:netweaver:*:*:*:*:*:*:*:* (Version <= 7.01)
  • OR cpe:/a:sap:netweaver:7.20:*:*:*:*:*:*:*

    • Configuration CCN 1:
  • cpe:/a:sap:netweaver:7.01:*:*:*:*:*:*:*
  • OR cpe:/a:sap:netweaver:7.20:*:*:*:*:*:*:*

    • * Denotes that component is vulnerable
    BACK
    sap netweaver *
    sap netweaver 7.20
    sap netweaver 7.01
    sap netweaver 7.20