Tuesday, February 2, 2016

2165583 - SAP HANA secure configuration of internal communication

Symptom
SAP HANA internal services could be accessed without authentication if the HANA system is insecurely configured and no other security measures are in place. This could endanger system availability, data confidentiality and integrity.
CVSS Information
CVSS Base Score:  6.6 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range) Network (N)
AC : Access Complexity (Required attack complexity) High (H)
Au : Authentication (Level of authentication needed to exploit) None (N)
C : Impact to Confidentiality Partial (P)
I  : Impact to Integrity Partial (P)
A : Impact to Availability Complete (C)
 SAP provides this CVSS base score as an estimate of the risk posed by the issue reported in this note. This estimate does not take into account your own system configuration or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For more information, see the FAQ section at https://support.sap.com/securitynotes.


Other Terms
HANA, encryption, network, hostname, listeninterface, TrexNet


Reason and Prerequisites
The internal SAP HANA services communication can be attacked,
  • if the HANA system is not located behind a firewall that blocks the access to HANA internal communication channels,
  • and if SSL/TLS with mutual host authentication is not enabled for distributed HANA systems or HANA system replication,
  • and if the configuration of the internal HANA network is not correct.


Solution
Follow the recommendations to configure HANA internal service communication in
  • HANA Master Guide: chapter "SAP HANA Architecture"
  • SAP HANA Security Guide: chapter "SAP HANA Network and Communication Security"
  • SAP HANA Security Guide: chapter "Security Configuration Checklist" -> "Network"
The refered documentation can be found under http://help.sap.com/hana_platform.
Check the internal network configuration of SAP HANA and correct the settings if necessary. To check the configuration of your HANA system please follow the instructions in SAP Note 2183363.



Header Data

Released On 16.11.2015 11:40:44
Release Status Released for Customer
Component HAN-DB SAP HANA Database
Priority Correction with medium priority
Category Customizing
Externally Reported
Yes
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)