Symptom
SAP HANA has disclosed two security issues about the SAP HANA SQL interface and SAP HANA Extended Application Services (XS).
Attackers could exploit the SAP HANA SQL interface or SAP HANA Extended Application Services (XS) to enable them to take complete control of the product, including viewing, changing, or deleting data.
SAP HANA SQL Interface
This issue is relevant for users of SAP Business One 9.0, version for SAP HANA & SAP Business One 9.1, version for SAP HANA running on any HANA revision lower than 97.02.
CVSS Information
CVSS Base Score: 9.3 / 10
CVSS Base Vector:
SAP HANA Extended Application Services (XS)
This issue is relevant for users of SAP Business One 9.0, version for SAP HANA & SAP Business One 9.1, version for SAP HANA running on any HANA revision lower than 85.4.
CVSS Information
CVSS Base Score: 9.3 / 10
CVSS Base Vector:
SAP provides the CVSS base score as an estimate of the risk posed by
the issue reported in this note. This estimate does not take into
account your own system configuration or operational environment. It is
not intended to replace any risk assessments you are advised to conduct
when deciding on the applicability or priority of this SAP security
note. For more information, see the FAQ section at https://support.sap.com/securitynotes.
Attackers could exploit the SAP HANA SQL interface or SAP HANA Extended Application Services (XS) to enable them to take complete control of the product, including viewing, changing, or deleting data.
SAP HANA SQL Interface
This issue is relevant for users of SAP Business One 9.0, version for SAP HANA & SAP Business One 9.1, version for SAP HANA running on any HANA revision lower than 97.02.
CVSS Information
CVSS Base Score: 9.3 / 10
CVSS Base Vector:
|
AV : Access Vector (Related exploit range)
|
Network (N)
|
|
AC : Access Complexity (Required attack complexity)
|
Medium (M)
|
|
Au : Authentication (Level of authentication needed to exploit)
|
None (N)
|
|
C : Impact to Confidentiality
|
Complete (C)
|
|
I : Impact to Integrity
|
Complete (C)
|
|
A : Impact to Availability
|
Complete (C)
|
This issue is relevant for users of SAP Business One 9.0, version for SAP HANA & SAP Business One 9.1, version for SAP HANA running on any HANA revision lower than 85.4.
CVSS Information
CVSS Base Score: 9.3 / 10
CVSS Base Vector:
|
AV : Access Vector (Related exploit range)
|
Network (N)
|
|
AC : Access Complexity (Required attack complexity)
|
Medium (M)
|
|
Au : Authentication (Level of authentication needed to exploit)
|
None (N)
|
|
C : Impact to Confidentiality
|
Complete (C)
|
|
I : Impact to Integrity
|
Complete (C)
|
|
A : Impact to Availability
|
Complete (C)
|
Cause
A buffer overflow vulnerability exists in some revisions of the SAP
HANA Extended Application Services. If an attacker has network access to
the HTTP interface of SAP HANA Extended Application Services, the
vulnerability might enable an attacker to inject code into the working
memory that is subsequently executed by the application. It can also be
used to cause a general fault in the product, causing the product to
terminate.
Solution
The issue about the SAP HANA SQL interface is fixed with
revision 102.01 (for SPS10) and 97.03 (for SPS09). The issue about SAP
HANA Extended Application Services (XS) is fixed with revision 92 (for
SPS09) and 85.05 (for SPS08); SPS10 is not affected.
For SAP Business One, version for SAP HANA customers, please do the following:
- Never expose your SAP HANA server to the Internet; in other words, no Internet IP addresses should have access to your SAP HANA server.
- Never map the SAP HANA SQL interface port to the Internet.
- For Internet user access, we strongly recommend that you use a firewall or the IP table to block untrusted access.
SAP intends to provide a patch or patches in order to solve the problem described.
The section Reference to Related Notes below will list the specific patches once they become available.
The corresponding Info file of the patches in SAP Service Marketplace will also show the SAP Note number.
Be aware that these references can only be set at patch release date.
SAP will deliver patches only for selected releases at its own discretion, based on the business impact and the complexity of the implementation.
For SAP Business One, version for SAP HANA customers, please do the following:
- Upgrade SAP HANA to Revision 97.
- Upgrade SAP Business One, version for SAP HANA to 9.1 PL09.
- Use a whitelist to allow only trusted IP addresses to access the SAP HANA SQL interface (3<InstanceNumber>15), as follows:
- Log on as root to your SAP HANA server.
- Create a whitelist, as follows:
- Create an ACCEPT rule, using this command: iptables -A INPUT -p tcp -s <AcceptedIP>--dport 3<InstanceNumber>15 -j ACCEPT
For example: iptables -A INPUT -p tcp -s 192.168.0.10 --dport 30015 -j ACCEPT - Repeat the above step for each IP address that you allow access to the target SAP HANA SQL interface.
- To ensure only trusted IP addresses have access, create a default DROP rule, using this command: iptables -A INPUT -p tcp --dport 3<InstanceNumber>15 -j DROP
For example: iptables -A INPUT -p tcp --dport 30015 -j DROP - If you want to delete a rule, execute this command: iptables -D INPUT <CurrentPositionInRuleList>
For example: iptables -D INPUT 1 - To check the access control list, execute this command: iptables --list
Caution: The default DROP rule must be the last line in the access control list.
- KPIs:
- Total Assets
- Total Liabilities
- Total Equity
- Net Sales Revenue
- Net Cash Flow (Operating)
- Net Cash Flow (Investment)
- Net Cash Flow (Financial)
- Cash
- Accounts Receivable
- Accounts Payable
- Inventory
- COGS
- Total Current Assets
- Total Current Liabilities
- Operating Cost
- Expense 1
- Expense 2
- Net Cash Flow
- Receivables Overdue
- Payables Overdue
- Dashboards
- Aging of Receivables Overdue (10-Day Interval)
- Aging of Payables Overdue (10-Day Interval)
- Top 5 Customers by Receivables Overdue
- Top 5 Vendors by Payables Overdue
- Never expose your SAP HANA server to the Internet; in other words, no Internet IP addresses should have access to your SAP HANA server.
- Never map the SAP HANA SQL interface port to the Internet.
- For Internet user access, we strongly recommend that you use a firewall or the IP table to block untrusted access.
SAP intends to provide a patch or patches in order to solve the problem described.
The section Reference to Related Notes below will list the specific patches once they become available.
The corresponding Info file of the patches in SAP Service Marketplace will also show the SAP Note number.
Be aware that these references can only be set at patch release date.
SAP will deliver patches only for selected releases at its own discretion, based on the business impact and the complexity of the implementation.
Other terms
Buffer overflow, RCE, remote code execution, SAP HANA Extended Application Services, HANA XS
Header Data
| Released On | 20.11.2015 09:05:48 |
| Release Status | Released for Customer |
| Component | SBO-BC-DB-HANA SAP HANA database-related issues |
| Priority | HotNews |
| Category | Program error |
I want to share a testimony on how Le_Meridian funding service helped me with loan of 2,000,000.00 USD to finance my marijuana farm project , I'm very grateful and i promised to share this legit funding company to anyone looking for way to expand his or her business project.the company is UK/USA funding company. Anyone seeking for finance support should contact them on lfdsloans@outlook.com Or lfdsloans@lemeridianfds.com Mr Benjamin is also on whatsapp 1-989-394-3740 to make things easy for any applicant.
ReplyDeleteThanks for sharing, that was very informative!
ReplyDeleteLMTEQ - SAP IT Support Services in USA