CVE-2015-2278

Name of the Vulnerable Software and Affected Versions SAP MaxDB versions 7.5 through 7.6 Netweaver Application Server ABAP (affected versions not specified) Netweaver Application Server Java (affected versions not specified) Netweaver RFC SDK (affected versions not specified) GUI (affected versions not specified) RFC SDK (affected versions not specified) SAPCAR archive tool (affected versions not specified)

Description The issue allows context-dependent attackers to cause a denial of service via unspecified vectors, related to look-ups of non-simple codes in the LZH decompression implementation, specifically in the CsObjectInt::BuildHufTree function.

Recommendations For SAP MaxDB versions 7.5 through 7.6, update to a version that includes the fix for the CsObjectInt::BuildHufTree function issue. For Netweaver Application Server ABAP, apply the necessary patches or updates as specified in the relevant security notes. For Netweaver Application Server Java, apply the necessary patches or updates as specified in the relevant security notes. For Netweaver RFC SDK, apply the necessary patches or updates as specified in the relevant security notes. For GUI, apply the necessary patches or updates as specified in the relevant security notes. For RFC SDK, apply the necessary patches or updates as specified in the relevant security notes. For SAPCAR archive tool, apply the necessary patches or updates as specified in the relevant security notes. As a temporary workaround, consider restricting the use of the LZH decompression implementation until a patch is available.