SAP BusinessObjects 4.x Vulnerabilities via Corba and XSS in HANA XS
On February 25, 2015, Onapsis released advisories for five SAP BusinessObjects Enterprise/Edge and SAP HANA vulnerabilities. These vulnerabilities
were responsibly disclosed, allowing SAP to correct the vulnerabilities as quickly as possible.
Here is a summary of the advisories and more information around each. Of these five, three are considered “High Risk” and are exploited through the CORBA layer.
Vulnerabilities rated High:
Unauthorized Audit Information Delete via CORBA (CVE-2015-2075)
Exploiting this vulnerability would allow a remote unauthenticated attacker to delete audit information on the BI system before these events are written into the auditing database.
Resolution:
Details of the fix are available in SAP Note ID 2011396. Please update your BusinessObjects BI 4.x system to one of the following patches, or a subsequent patch or support pack:
- BI 4.0 Patch 9.2
- BI 4.0 SP10
- BI 4.1 Patch 3.1
- BI 4.1 SP04
SAP Note ID link: http://service.sap.com/sap/support/notes/2011396
Unauthorized File Repository Server Write via CORBA (CVE-2015-2074)
Exploiting this vulnerability would allow a remote unauthenticated attacker to overwrite files in the File Repository System (FRS), provided the attacker has knowledge of the report ID and path. For example, “frs://Input/a_103/019/000/4967/1b14796c5b0d5f2c.rpt”.
Resolution:
Details of the fix are available in SAP Note ID 2018681. Please update your BusinessObjects BI 4.x system to the following support pack, or a subsequent patch or support pack:
- BI 4.1 SP04
Note: Earlier versions of BI 4.x have a workaround, which is to configure the FRS to run in FIPS mode (add “-fips” to the command line arguments in the CMC) or enable CORBA SSL.
SAP Note ID link: https://service.sap.com/sap/support/notes/2018681
Unauthorized File Repository Server (FRS) Read via CORBA (CVE-2015-2073)
Exploiting this vulnerability would allow a remote unauthenticated attacker to be able to retrieve reports located on the FRS system, provided the attacker has knowledge of the report ID and path. For example, “frs://Input/a_103/019/000/4967/1b14796c5b0d5f2c.rpt”.
Resolution: Details of the fix are available in SAP Note ID 2018682. Please update your BusinessObjects BI 4.x system to the following support pack, or a subsequent patches or support packs:
- BI 4.1 SP04
Note: Earlier versions of BI 4.x have a workaround, which is to configure the FRS to run in FIPS mode (add “-fips” to the command line arguments in the CMC) or enable CORBA SSL.
SAP Note ID Link: https://service.sap.com/sap/support/notes/2018682
Vulnerabilities rated Medium:
Multiple Cross Site Scripting Vulnerabilities in SAP HANA XS Administration Tool
Reflected cross site scripting vulnerabilities in this tool may allow an attacker to deface the application or harvest authentication information from users.
Resolution: Details of the fix are available in SAP Note ID 1993349. Please update your SAP HANA system to one of the following patches, or a later revision:
- SAP HANA revision 72 (for SPS07)
- SAP HANA revision 69 Patch 4 (for SPS06)
SAP Note ID Link: https://service.sap.com/sap/support/notes/1993349
Unauthorized Audit Information Access via CORBA (CVE-2015-2076)
Exploiting this vulnerability would allow a remote unauthenticated user to gain access to audit events in a BI system.
Resolution: Details of the fix are available in SAP Note ID 2011395. Please update your BusinessObjects BI 4.x system to one of the following patches, or a subsequent patch or support pack:
- BI 4.0 Patch 9.2
- BI 4.0 SP10
- BI 4.1 Patch 3.1
- BI 4.1 SP04
SAP Note ID Link: https://service.sap.com/sap/support/notes/2011395
I strongly recommend keeping up to date on patches and support packs in order to take advantage of the most recent security fixes, but also new features in the product. Each of the vulnerabilities affecting the BI Platform have been resolved in BI 4.1 SP04+. If you haven’t already, this is a good opportunity to build the business case for updating your environment. Vulnerabilities left unaddressed put your business users and data at risk.
Information regarding each of the BI support packs/patches, including Administration guides, release notes, fixed issues in each and known issues in each can be found at http://help.sap.com/bobi/.
Information regarding the latest revision of SAP HANA, including install guides, security information and Administration guides can be found at http://help.sap.com/hana, and choose the HANA link appropriate for your environment.
SAP’s security notes portal can be found here: https://support.sap.com/securitynotes
Other links of interest:
I am a new blogger to SCN, but I’ve been with Business Objects and then SAP for several years. I’m interested in bringing more transparency around security topics to SCN, so I’m curious to know what the BI Platform community thinks about these types of posts, as well as anything else you’d like to see.
Please feel free to leave a comment below or contact me directly, I’d love to hear from you!
Hi Jenn,
Thanks for providing clarity on these potential issues in the BI Platform and HANA. It's nice to have a consolidated view without visiting so many different SAP Notes, and you're absolutely correct that these could help expedite customer's ability to move ahead to BI 4.1 SP04 or higher. Thanks for considering the impact to business users and data security.
I hadn't previously heard about the -fips switch for the FRS. It would be interesting for me to see you discuss that topic a bit and how it would help secure the FRS and root directories.
Thanks for the reply, Jim!
I'll look at doing a blog in the future around the -fips switch for the FRS, what the impact is as well as the 'why' behind it.
Great to see this posted. I get asked about security practices all the time and don't have a good single source. Now I do. Breaches of data security are so common in the news these days and its so important to keep access to it secure.
Thanks for the feedback, Chris!
My goal here is to bring a little more focus to the security aspect, so I'll continue to post information as it is made public.
Thanks for putting a blog together on these vulnerabilities. As I am no security expert myself I'll be following your posts as an extra means to stay up-to-date and to keep the systems safe.
Thanks Jozsef!
I'll post information regarding security as it's made public, along with posting other information relating to security and BI in general.
Hello Jennifer,
Thank you for sharing this summary.
I'm doing a revision of these vulnerabilities and my first doubt is related with the affected software.
The Onapsis reports mention as affected components BussinessObjects Edge 4.0 however I read some information about "Edge vs Enterprise" and I understand
these is affecting to BusinessObjects Edge/Enterprise 4.X; is that correct? I consider the advisories must mention it with clarity to avoid any type of missunderstanding,
Please update your findings on FIPS mode.
Thank you for your feedback.
Hi Mauricio
Thanks for the reply!
I'll be updating the info on the FIPS switch in a future blog, so stay tuned.
You're right about the Onapsis report mentioning Edge, and I purposely included Enterprise in this blog as well.
The SAPNotes for BI are specific to the Enterprise platform which is essentially the same product as Edge (with Edge being a leaner, more specific version with a different licence key). Edge uses the BI Support Packs for updates.
I can't comment on why the report only mentioned Edge, but can speculate that it was because that's what was examined by the Onapsis researchers.
To answer your question directly, this does affect BusinessObjects Edge and Enterprise 4.X.
Thank you for your clarification!
Regards
I echo the comments made above, excellent post sharing some very important information.