Symptom
An potential attacker can inject arbitrary lines to the log of the SAP HANA Extended Application Services (HANA XS).
CVSS Information
CVSS Base Score: 4.0 / 10
CVSS Base Vector:
SAP provides this CVSS base score as an estimate of the risk posed
by the issue reported in this note. This estimate does not take into
account your own system configuration or operational environment. It is
not intended to replace any risk assessments you are advised to conduct
when deciding on the applicability or priority of this SAP security
note. For more information, see the FAQ section at https://service.sap.com/securitynotes/.
CVSS Information
CVSS Base Score: 4.0 / 10
CVSS Base Vector:
| AV : Access Vector (Related exploit range) | Network (N) |
| AC : Access Complexity (Required attack complexity) | Low (L) |
| Au : Authentication (Level of authentication needed to exploit) | Single (S) |
| C : Impact to Confidentiality | None (N) |
| I : Impact to Integrity | Partial (P) |
| A : Impact to Availability | None (N) |
Other Terms
log injection, SAP HANA XS
Reason and Prerequisites
A potential attacker might be able to inject additional lines into
the HANA XS log via specially crafted HTTP requests. These forged
additional line entries might confuse users analysing these logs.
Existing data cannot be changed or read by this potential vulnerability.
Existing data cannot be changed or read by this potential vulnerability.
Solution
The log writing function has been improved with SAP HANA SPS09, revision 90. Update to revision 90 or later.
Header Data
| Released On | 10.02.2015 00:02:34 |
| Release Status | Released for Customer |
| Component | HAN-AS-XS SAP HANA Extended Application Services |
| Priority | Correction with high priority |
| Category | Program error |
| Externally Reported |
Yes
|
No comments:
Post a Comment