Application: SAP Message Server
Vendor URL: SAP
Bugs: Denial of Service
Reported: 18.08.2016
Vendor response: 19.08.2016
Date of Public Advisory: 08.11.2016
Reference: SAP Security Note 2358972
Author: Mathieu Geli (ERPScan)


The SAP Message Server HTTP daemon doesn’t clean its memory upon client connections in a certain case.

Business risk

An attacker can exploit a Denial of Service vulnerability to terminate a process of a vulnerable component. Thus, nobody will be able to use the service, which, in its turn, affects business processes, system downtime, and business reputation of a victim company.