Symptom
Attackers could exploit SAP HANA Extended Application Services to
enable them to take complete control of the product, including viewing,
changing, or deleting data.
CVSS Information
CVSS Base Score: 9.3 / 10
CVSS Base Vector:
SAP provides this CVSS base score as an estimate of the risk posed by
the issue reported in this note. This estimate does not take into
account your own system configuration or operational environment. It is
not intended to replace any risk assessments you are advised to conduct
when deciding on the applicability or priority of this SAP security
note. For more information, see the FAQ section at https://support.sap.com/securitynotes.
CVSS Information
CVSS Base Score: 9.3 / 10
CVSS Base Vector:
|
AV : Access Vector (Related exploit range)
|
Network (N)
|
|
AC : Access Complexity (Required attack complexity)
|
Medium (M)
|
|
Au : Authentication (Level of authentication needed to exploit)
|
None (N)
|
|
C : Impact to Confidentiality
|
Complete (C)
|
|
I : Impact to Integrity
|
Complete (C)
|
|
A : Impact to Availability
|
Complete (C)
|
Other Terms
Buffer overflow, RCE, remote code execution, SAP HANA Extended Application Services, HANA XS
Reason and Prerequisites
A buffer overflow vulnerability exists in some revisions of the SAP
HANA Extended Application Services. If an attacker has network access to
the HTTP interface of SAP HANA Extended Application Services, the
vulnerability might enable an attacker to inject code into the working
memory that is subsequently executed by the application. It can also be
used to cause a general fault in the product, causing the product to
terminate.
Solution
The issue is fixed with revision 92 (for SPS09) and 85.05 (for
SPS08). SPS10 is not affected. Update to these or later revisions.
Workaround: restrict access to SAP HANA Extended Application Services (XS) by limiting network access to the SAP HANA Extended Application Services network ports of the HANA server.
Workaround: restrict access to SAP HANA Extended Application Services (XS) by limiting network access to the SAP HANA Extended Application Services network ports of the HANA server.
Header Data
| Released On | 08.09.2015 00:10:26 |
| Release Status | Released for Customer |
| Component | HAN-AS-XS SAP HANA Extended Application Services |
| Priority | Hot News |
| Category | Program error |
| Externally Reported |
Yes
|
Thank you for giving this best information. It’s a very nice topic
ReplyDeleteSAP HANA Remote Online Access