SAP Releases Security Updates for HANA Database November 2015

Yesterday the security firm Onapsis issued 21 security advisories (detailing 22 security issues) for SAP’s HANA database. As mentioned in previous blog posts, this a database that is stored in RAM (computer memory) for very fast performance (although the database is periodically written to a hard disk for the purpose of recovery checkpoints)).

All 22 issues are remotely exploitable with only 1 requiring an attacker to be already authenticated (logged into) into the database.

Why Should These Issues Be Considered Important?
The severity of the security issues disclosed can be summarized as follows:

9x critical issues: These issues could allow an unauthenticated remote attacker to take any action they wish with any of your business information stored within your HANA database. The attacker could also shut down the database.

6x high risk issues: Such issues could allow an attacker to access sensitive business information or conduct a DoS (denial of service)(defined) attack on your database since the database would be in an unusable state until restarted as a result of exploiting these issues.

7x medium risk issues: These issues could allow an attacker to obtain the values of environmental variables used within the HANA database, create directories (folders) of their choice, create files of their choice, lists the files within database and access sensitive information.

As noted by Onapsis in their analysis within this blog post the critical issues mentioned above are some of the most severe they have encountered since they allow the attacker unprecedented access to your database.

How Can I Protect Myself From These Issues?
To address the flaws within SAP HANA it is recommended to refer to the security advisories mentioned in this Onapsis blog post. Those 21 downloadable PDF advisories contain the necessary links to obtain patches from SAP for these issues.

In addition, Onapsis has published the first in a series of blog posts focused on improving the security of SAP HANA installations. They provide best practice advice for the configuration of this database as well as user privileges etc.

If you are in any doubt or would like further advice, please contact SAP Support for more information.

Thank you.

1 thought on “SAP Releases Security Updates for HANA Database November 2015

  1. Hiya

    Hello There,

    Thank you for update. From now onward I start to use this blog in my training practice. Thank you for explaining each in step. I use blogs for my easy reference which were quite useful to get started with.
    Security means protecting company’s critical data from unauthorized access and use, and to ensure that Compliance and standards are met as per the company policy. SAP HANA enables the customer to implement different security policies and procedures and to meet compliance requirements of the company.
    SAP HANA presents all security associated characteristics such as Authentication, Authorization, Encryption, Auditing, and some add-on features, which are not approved in other multitenant databases.
    Appreciate your effort for making such useful blogs and helping the community.

    Best Regards,


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.