OpenSSL vulnerability DROWN attack CVE-2016-0800
An update for HANA users who want to know further on the OpenSSL DROWN attack.
SAP HANA and HANA based applications should not be affected by the DROWN vulnerability.
SAP HANA database uses SAP’s own CommonCryptoLib for communication encryption purposes, which is not affected by DROWN.
SAP HANA can be configured to use the OpenSSL instance which is provided by the Linux operating system (provided by Suse or RedHat). SSLv2 is not offered/used in these scenarios.
Therefore this configuration is also not affected by DROWN. Customers are advised to update their operating system according to their maintenance agreements with their operating system vendors. SAP explicitly allows customers to deploy security updates of the operating system.
SAP HANA extended application services, advanced model (XS Advanced) shipment contains OpenSSL for communication encryption. These channels do not support SSLv2 and are therefore not affected by DROWN.