A partner account manager can help. Contact us today.

[ERPSCAN-16-029] SAP NetWeaver AS JAVA – deserialization of untrusted user value

Application: SAP NetWeaver AS JAVA
Versions Affected: SAP NetWeaver 7.5
Vendor URL: SAP
Bugs: Denial of Service
Reported: 22.04.2016
Vendor response: 23.04.2016
Date of Public Advisory: 12.07.2016
Reference: SAP Security Note 2315788
Author: Mathieu Geli (ERPScan)


An attacker can use special HTTP request in order to force a server to deserialize evil objects, which results in denial of service.

Business risk

An attacker can use a Denial-of-service vulnerability to terminate a process of a vulnerable component. For this time nobody can use this service, this fact negatively influences on business processes, system downtime and, as a result, business reputation.