[ERPSCAN-16-028] SAP Adaptive Server Enterprise – DoS vulnerability

Application: SAP Adaptive Server Enterprise
Versions Affected: SAP Adaptive Server Enterprise 16
Vendor URL: SAP
Bug: Denial of Service
Reported: 01.02.2016
Vendor response: 02.02.2016
Date of Public Advisory: 12.07.2016
Reference: SAP Security Note 2330839
Author: Vahgan Vardanyan (ERPScan)


Class: Denial of Service
Impact: DoS
Remotely Exploitable: Yes
Locally Exploitable: Yes
CVE Name: CVE-2017-7311

CVSS Information

CVSS Base Score v3: 7.5 / 10
CVSS Base Vector:

AV: Attack Vector (Related exploit range) Network (N)
AC: Attack Complexity (Required attack complexity) Low (L)
PR: Privileges Required (Level of privileges needed to exploit) None (N)
UI: User Interaction (Required user participation) None (N)
S: Scope (Change in scope due to impact caused to components beyond the vulnerable component) Unchanged(U)
C: Impact to Confidentiality None (N)
I: Impact to Integrity None (N)
A: Impact to Availability High (H)


Anonymous attacker can send a special request to the SAP Adaptive Server Enterprise and crash the server.

Business risk

An attacker can use Denial of service vulnerability for terminating a process of a vulnerable component. For this time nobody can use this service that negatively influences business processes, system downtime and, as a result, business reputation.


SAP Open Server 16.0 SP01, SP02 SAP ASE 16.0 SP01, SP02 SAP Replication Server SP207, SP209, SP210, SP3XX


To correct this vulnerability, install SAP Security Note 2330839.


Proof of Concept