Symptom
An user or attacker can discover information from files on the HANA server.
CVSS Information
CVSS Base Score: 3.5 / 10
CVSS Base Vector:
SAP provides this CVSS base score as an estimate of the risk posed
by the issue reported in this note. This estimate does not take into
account your own system configuration or operational environment. It is
not intended to replace any risk assessments you are advised to conduct
when deciding on the applicability or priority of this SAP security
note. For more information, see the FAQ section at https://service.sap.com/securitynotes/.
CVSS Information
CVSS Base Score: 3.5 / 10
CVSS Base Vector:
| AV : Access Vector (Related exploit range) | Network (N) |
| AC : Access Complexity (Required attack complexity) | Medium (M) |
| Au : Authentication (Level of authentication needed to exploit) | Single (S) |
| C : Impact to Confidentiality | Partial (P) |
| I : Impact to Integrity | None (N) |
| A : Impact to Availability | None (N) |
Other Terms
Information disclosure, SAP HANA, IMPORT
Reason and Prerequisites
Files on the HANA server's file system can be accessed by
authenticated users. Users need the IMPORT privilege to access files on
the file server, which is not granted by default to any user. The access
is limited to files which can be read by the <sid>adm of the HANA
system.
The file system path to access files on the server cannot be further restricted within HANA before revision 85.
The file system path to access files on the server cannot be further restricted within HANA before revision 85.
Solution
As of SAP HANA SPS 08 database revision 85, you can manage a
restriction for the local and/or shared file accesses using two INI
configuration parameters, named CSV import path filter.
1. Enable CSV import path filter via configuration tab of HANA Administration Console
This configuration change will immediately affect IMPORT FROM command by reconfiguration so that IMPORT FROM is only accessible to CSV files stored under the specified directory paths. The following three paths are accepted by default without any additional path filter setting.
1. Enable CSV import path filter via configuration tab of HANA Administration Console
- File: indexserver.ini
- Section: import_export
- Key: enable_csv_import_path_filter
- Value: true
This configuration change will immediately affect IMPORT FROM command by reconfiguration so that IMPORT FROM is only accessible to CSV files stored under the specified directory paths. The following three paths are accepted by default without any additional path filter setting.
- $DIR_INSTANCE/work
- $DIR_INSTANCE/backup
- $SAP_RETRIEVAL_PATH/trace
- File: indexserver.ini
- Section: import_export
- Key: csv_import_path_filter
- Value: <absolute directory path>[;<absolute directory path>]*
Header Data
| Released On | 13.01.2015 00:03:15 |
| Release Status | Released for Customer |
| Component | HAN-DB SAP HANA Database |
| Priority | Correction with high priority |
| Category | Program error |
| Externally Reported |
Yes
|
No comments:
Post a Comment