10 security issues were found by Onapsis security and reported to SAP earlier this year in SAP’s HANA database but were publicly announced earlier last week. This a database that is stored in RAM (computer memory) for very fast performance (although the database is periodically written to a hard disk for the purpose of recovery checkpoints)).
1 of the 2 most serious vulnerabilities within SAP HANA is remotely exploitable.
Why Should These Issues Be Considered Important?
The 2 high risks vulnerabilities could allow an attacker to execute commands of their choice on the victim SAP HANA system disclosing sensitive information and giving them the potential to alter the systems settings blocking legitimate users from accessing it.
The remaining 8 medium risk vulnerabilities provide an attacker with the ability to partially compromise a HANA system but the attacker would have to have already partially compromised the system in the first instance to use these flaws to their further advantage.
For the Business Objects BI Platform vulnerability if an attacker can successfully exploit the buffer overflow issue, they can cause a denial of service issue (defined) and/or provide the attacker with access to sensitive information within the system and allowing them the ability to modify this data.
How Can I Protect Myself From These Issues?
To address the flaws within SAP HANA it is recommended to refer to the security advisories mentioned in this Onapsis blog post. Those advisories contain the necessary links to obtain patches from SAP for these issues.
For the Business Objects BI Platform vulnerability, SAP recommends implementing/installing the patches discussed within SAP Security Note 2001108 This note is also mentioned within this Onapsis blog post. Please note that a SAP Marketplace account is required to access the contents of this Security Note. An account can be created from this page.
If you are in any doubt or would like further advice, please contact SAP Support for more information.
If any further information concerning the above vulnerabilities becomes available I will update this blog post as appropriate.