In our previous blog post and on the SAP HANA security web site at http://hana.sap.com/security, we already described the comprehensive security approach that is applied at SAP and specifically at SAP HANA that helps customers to protect their most valuable assets.
One core element of SAP’s security commitment is that SAP provides full transparency to customers on how they can set up, operate, and keep their systems secure.
As part of this commitment to transparency, with the latest SAP Security Patch Day, on March 14th, 2017 SAP released five security notes for SAP HANA.
Of the five security notes, only two are rated with a Very High and High criticality. These criticality ratings indicate that affected customer systems could be at serious risk if an attacker exploits one of these vulnerabilities. Both issues affect only customers who:
- Are running on a specific version of the SAP HANA software, or
- Have enabled and exposed an optional component that is disabled by default
We expect very few SAP HANA customers to be affected by these issues. More details on these two issues are available in the “Technical Details” section at the end of this post.
Customers are specifically advised to assess if they are affected by either of these issues and take appropriate actions. SAP provides detailed information for security experts and administrators in the security notes listed below. Fixes for all issues are included in the newest supported releases of SAP HANA in line with SAP HANA’s maintenance strategy.
If you want to learn more about SAP HANA security, read our SAP HANA security whitepaper or visit http://hana.sap.com/security. For information on SAP’s security strategy and approach, please visit http://sap.com/security.
Additional Technical Details:
Below is a short summary of the most important notes affecting SAP HANA customers (criticality very high and high). For information on all SAP security notes released as part of this SAP Security Patch Day, please go to SAP Security Response Blog.
- Security note 2424173(*) is rated with a CVSS score of 9.8 (Very High) and can allow an attacker to take control of the system. However, this affects only customers if the optional User Self Service component (disabled by default) has been enabled and exposed to an untrusted network. The component is part of the SAP HANA extended application services, classic model. The security note contains instructions on how to check if the User Self Service tool is enabled and how to protect the system by either updating or deactivating the affected service (if not needed anymore or as temporary measure).
- Security note 2429069(*) is rated with a CVSS score of 8.8 (High) and could allow an attacker to elevate privileges by impersonating another user in the system. This issue only affects systems running SAP HANA 2.0 SPS 00 revision 0 that expose SAP HANA extended application services, classic model to an untrusted network.
All security issues are fixed in SAP HANA revisions 122.7 or higher for SAP HANA 1.0 and revision 1 for SAP HANA 2.0 SPS 00. Customers already running on these releases are not affected. SAP HANA, Express Edition customers are advised to update to the latest version.
(*) Security notes are accessible to SAP customers through the SAP support portal.