Recently the Security Advisor from@stake reported that the SAP DB (now mySQL MaxDB) software package offers some opportunities for misuse especially through its Web server. This blog adresses this report and points to the database versions that solve the problem. We have addressed and solved all the known issues and have shipped them already or will ship them soon with the versions specified below.
Be aware that with sensible handling these vulnerabilites can be considered non-critical for systems operated in a SAP-integrated system. Typically SAP Systems are insulated against outside access with firewalls. NI access can only occur point-to-point if the transmitted identifier is known. The NI connection must be explicitly enabled over the SAP Service System (OSS) by the customer and is disabled after the service contact. SAP Support must have installed additional software to enable the connection to be used. Clients other than SAP Support should all be inside the firewall.
You can start the x_server without the niserver (x_server -Y). However, since SAP DB Service connections are then impossible to make in cases where you require support, the x_server would have to be stopped to allow SAP Support to access it and would then have to be restarted with no option. You should consider this point.
The following versions will solve this problem:
- 7.3.00.46
- 7.4.02.24 (not yet available)
- 7.4.03.30
- 7.5.00.08 (available Dec '03)
The gaps in the Web server are cleaned up as of 7.4.03.30 and all 7.5. You do not need a running SAP DB Web server to operate SAP Systems. However, if you still want to use the Web server to operate Web tools, for example, there will be no problem if it runs on any computer except the database server.
As an alternative to the in-house Web server, you can also temporarily use Apache, which is secure at this point.
The following versions fill the other gaps:
- 7.3.00.30
- 7.4.02.16
- 7.4.03.10
- 7.5 (all versions)
