Details of VAR-201411-0262

ID

VAR-201411-0262

CVE

CVE-2014-0995

TITLE

SAP NetWeaver Service disruption in a standalone enqueue server (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2014-005245

DESCRIPTION

The Standalone Enqueue Server in SAP Netweaver 7.20, 7.01, and earlier allows remote attackers to cause a denial of service (uncontrolled recursion and crash) via a trace level with a wildcard in the Trace Pattern. SAP NetWeaver are prone to a denial-of-service vulnerability. An attacker can exploit this issue to crash the affected application, denying service to legitimate users. SAP NetWeaver 7.01 and 7.20 are vulnerable; other versions may also be affected

Trust: 1.98

sources: NVD: CVE-2014-0995 // JVNDB: JVNDB-2014-005245 // BID: 70613 // VULMON: CVE-2014-0995

AFFECTED PRODUCTS

vendor:	sap	model:	netweaver	scope:	eq	version:	7.20	Trust: 2.7
vendor:	sap	model:	netweaver	scope:	eq	version:	7.01	Trust: 1.7
vendor:	sap	model:	netweaver	scope:	lte	version:	7.01	Trust: 1.0

sources: BID: 70613 // JVNDB: JVNDB-2014-005245 // CNNVD: CNNVD-201410-1275 // NVD: CVE-2014-0995

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2014-0995
value:	MEDIUM
Trust: 1.0
NVD:	CVE-2014-0995
value:	MEDIUM
Trust: 0.8
CNNVD:	CNNVD-201410-1275
value:	MEDIUM
Trust: 0.6
VULMON:	CVE-2014-0995
value:	MEDIUM
Trust: 0.1

nvd@nist.gov:	CVE-2014-0995
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	NONE
integrityImpact:	NONE
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.9

sources: VULMON: CVE-2014-0995 // JVNDB: JVNDB-2014-005245 // CNNVD: CNNVD-201410-1275 // NVD: CVE-2014-0995

PROBLEMTYPE DATA

problemtype:

CWE-20

Trust: 1.8

sources: JVNDB: JVNDB-2014-005245 // NVD: CVE-2014-0995

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201410-1275

TYPE

input validation

Trust: 0.6

sources: CNNVD: CNNVD-201410-1275

CONFIGURATIONS

sources: JVNDB: JVNDB-2014-005245

EXPLOIT AVAILABILITY

sources: VULMON: CVE-2014-0995

PATCH

title:	SAP Security Note 2042845	url:	http://scn.sap.com/docs/DOC-55451	Trust: 0.8
title:	Potential denial of service in Enqueue Server #ABAP #Netweaver #SAP Note 2042845 http://ow.ly/CMsqI	url:	https://twitter.com/SAP_Gsupport/status/522750365780160513	Trust: 0.8
title:	martingalloar	url:	https://github.com/martingalloar/martingalloar	Trust: 0.1
title:	publications	url:	https://github.com/martingalloar/publications	Trust: 0.1

sources: VULMON: CVE-2014-0995 // JVNDB: JVNDB-2014-005245

EXTERNAL IDS

db:	NVD	id:	CVE-2014-0995	Trust: 2.8
db:	PACKETSTORM	id:	128726	Trust: 1.7
db:	SECUNIA	id:	60950	Trust: 1.7
db:	BID	id:	70613	Trust: 0.9
db:	JVNDB	id:	JVNDB-2014-005245	Trust: 0.8
db:	XF	id:	97610	Trust: 0.6
db:	CNNVD	id:	CNNVD-201410-1275	Trust: 0.6
db:	EXPLOIT-DB	id:	35000	Trust: 0.1
db:	VULMON	id:	CVE-2014-0995	Trust: 0.1

sources: VULMON: CVE-2014-0995 // BID: 70613 // JVNDB: JVNDB-2014-005245 // CNNVD: CNNVD-201410-1275 // NVD: CVE-2014-0995

REFERENCES

url:	http://www.coresecurity.com/advisories/sap-netweaver-enqueue-server-trace-pattern-denial-service-vulnerability	Trust: 2.8
url:	http://blog.onapsis.com/analyzing-sap-security-notes-october-2014-edition/	Trust: 2.5
url:	http://packetstormsecurity.com/files/128726/sap-netweaver-enqueue-server-trace-pattern-denial-of-service.html	Trust: 1.7
url:	http://seclists.org/fulldisclosure/2014/oct/76	Trust: 1.7
url:	https://twitter.com/sap_gsupport/status/522750365780160513	Trust: 1.7
url:	http://secunia.com/advisories/60950	Trust: 1.7
url:	https://exchange.xforce.ibmcloud.com/vulnerabilities/97610	Trust: 1.1
url:	http://www.securityfocus.com/archive/1/533719/100/0/threaded	Trust: 1.1
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2014-0995	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2014-0995	Trust: 0.8
url:	http://www.securityfocus.com/archive/1/archive/1/533719/100/0/threaded	Trust: 0.6
url:	http://xforce.iss.net/xforce/xfdb/97610	Trust: 0.6
url:	http://www.securityfocus.com/bid/70613	Trust: 0.6
url:	www.sap.com/platform/netweaver	Trust: 0.3
url:	https://cwe.mitre.org/data/definitions/20.html	Trust: 0.1
url:	https://www.exploit-db.com/exploits/35000/	Trust: 0.1
url:	https://nvd.nist.gov	Trust: 0.1
url:	https://github.com/martingalloar/martingalloar	Trust: 0.1

sources: VULMON: CVE-2014-0995 // BID: 70613 // JVNDB: JVNDB-2014-005245 // CNNVD: CNNVD-201410-1275 // NVD: CVE-2014-0995

CREDITS

Martin Gallo from Core Security Consulting Services.

Trust: 0.9

sources: BID: 70613 // CNNVD: CNNVD-201410-1275

SOURCES

db:	VULMON	id:	CVE-2014-0995
db:	BID	id:	70613
db:	JVNDB	id:	JVNDB-2014-005245
db:	CNNVD	id:	CNNVD-201410-1275
db:	NVD	id:	CVE-2014-0995

LAST UPDATE DATE

2024-11-23T22:46:00.330000+00:00

SOURCES UPDATE DATE

db:	VULMON	id:	CVE-2014-0995	date:	2018-12-13T00:00:00
db:	BID	id:	70613	date:	2014-10-15T00:00:00
db:	JVNDB	id:	JVNDB-2014-005245	date:	2014-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201410-1275	date:	2014-11-13T00:00:00
db:	NVD	id:	CVE-2014-0995	date:	2024-11-21T02:03:11.250

SOURCES RELEASE DATE

db:	VULMON	id:	CVE-2014-0995	date:	2014-11-06T00:00:00
db:	BID	id:	70613	date:	2014-10-15T00:00:00
db:	JVNDB	id:	JVNDB-2014-005245	date:	2014-11-07T00:00:00
db:	CNNVD	id:	CNNVD-201410-1275	date:	2014-10-24T00:00:00
db:	NVD	id:	CVE-2014-0995	date:	2014-11-06T15:55:06.990