Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

OpenSSL vulnerability DROWN attack CVE-2016-0800

former_member183326
Active Contributor
‎04-09-2016 10:30 AM

An update for HANA users who want to know further on the OpenSSL DROWN attack.

SAP HANA and HANA based applications should not be affected by the DROWN vulnerability.


SAP HANA database uses SAP’s own CommonCryptoLib for communication encryption purposes, which is not affected by DROWN.

SAP HANA can be configured to use the OpenSSL instance which is provided by the Linux operating system (provided by Suse or RedHat). SSLv2 is not offered/used in these scenarios.

Therefore this configuration is also not affected by DROWN. Customers are advised to update their operating system according to their maintenance agreements with their operating system vendors. SAP explicitly allows customers to deploy security updates of the operating system.

More information:

http://service.sap.com/sap/support/notes/1944799 (SLES)http://service.sap.com/sap/support/notes/2009879 (Red Hat, see attached document)

SAP HANA extended application services, advanced model (XS Advanced) shipment contains OpenSSL for communication encryption. These channels do not support SSLv2 and are therefore not affected by DROWN.

Labels in this area
Popular Blog Posts