Symptom
An potential attacker can perform malicious calls of the debug
functions of the SAP HANA Extended Application Services Classic (XS).
CVSS Information
CVSS Base Score: 5.0 / 10
CVSS Base Vector:
SAP provides this CVSS base score as an estimate of the risk posed by
the issue reported in this note. This estimate does not take into
account your own system configuration or operational environment. It is
not intended to replace any risk assessments you are advised to conduct
when deciding on the applicability or priority of this SAP security
note. For more information, see the FAQ section at https://support.sap.com/securitynotes.
CVSS Information
CVSS Base Score: 5.0 / 10
CVSS Base Vector:
|
AV : Access Vector (Related exploit range)
|
Network (N)
|
|
AC : Access Complexity (Required attack complexity)
|
Low (L)
|
|
Au : Authentication (Level of authentication needed to exploit)
|
None (N)
|
|
C : Impact to Confidentiality
|
None (N)
|
|
I : Impact to Integrity
|
Partial (P)
|
|
A : Impact to Availability
|
None (N)
|
Other Terms
log injection, SAP HANA, trace, XS classic model
Reason and Prerequisites
An unauthenticated attacker might be able to create specially crafted
HTTP requests to SAP HANA Extended Application Services Classic debug
function.
This can lead to forged additional entries in the trace files of the XS process and consume disk space of the HANA system. The additional space consumption is limited due to the trace file rotation which is enabled by default in SAP HANA systems (see the SAP HANA Administration Guide for details).
In addition specially crafted HTTP requests can consume the available memory buffers and lead to a crash of the XS process. The XS process will be restarted automatically by the SAP HANA system.
Existing data cannot be changed or read by this vulnerability.
This can lead to forged additional entries in the trace files of the XS process and consume disk space of the HANA system. The additional space consumption is limited due to the trace file rotation which is enabled by default in SAP HANA systems (see the SAP HANA Administration Guide for details).
In addition specially crafted HTTP requests can consume the available memory buffers and lead to a crash of the XS process. The XS process will be restarted automatically by the SAP HANA system.
Existing data cannot be changed or read by this vulnerability.
Solution
The debug function has been improved with SAP HANA revision 102.02
for SPS10 or later. Update to this or a later version. SPS 11 is not
affected.
Workaround: The internal HANA Web Dispatcher can be used to block debugger requests. To achieve this, add the parameter icm/HTTP/auth_1 with the content PREFIX=/sap/hana/xs/debugger, PERMFILE=/dev/null in the webdispatcher.ini configuration section [profile]. As an alternative, you can block access to the URLs /sap/hana/xs/debugger/* on network layer (e.g. with a firewall or reverse proxy).
Please be aware that with this workaround the debugging of SAP HANA Extended Application Services (XS) will not be available (including the XS debugging via SAP HANA Studio).
Workaround: The internal HANA Web Dispatcher can be used to block debugger requests. To achieve this, add the parameter icm/HTTP/auth_1 with the content PREFIX=/sap/hana/xs/debugger, PERMFILE=/dev/null in the webdispatcher.ini configuration section [profile]. As an alternative, you can block access to the URLs /sap/hana/xs/debugger/* on network layer (e.g. with a firewall or reverse proxy).
Please be aware that with this workaround the debugging of SAP HANA Extended Application Services (XS) will not be available (including the XS debugging via SAP HANA Studio).
Header Data
| Released On | 12.01.2016 00:03:02 |
| Release Status | Released for Customer |
| Component | HAN-AS-XS SAP HANA Extended Application Services |
| Priority | Correction with medium priority |
| Category | Program error |
| Externally Reported |
Yes
|
No comments:
Post a Comment