Yesterday the security firm Onapsis issued 21 security advisories (detailing 22 security issues) for SAP’s HANA database. As mentioned in previous blog posts, this a database that is stored in RAM (computer memory) for very fast performance (although the database is periodically written to a hard disk for the purpose of recovery checkpoints)).
All 22 issues are remotely exploitable with only 1 requiring an attacker to be already authenticated (logged into) into the database.
Why Should These Issues Be Considered Important?
The severity of the security issues disclosed can be summarized as follows:
9x critical issues: These issues could allow an unauthenticated remote attacker to take any action they wish with any of your business information stored within your HANA database. The attacker could also shut down the database.
6x high risk issues: Such issues could allow an attacker to access sensitive business information or conduct a DoS (denial of service)(defined) attack on your database since the database would be in an unusable state until restarted as a result of exploiting these issues.
7x medium risk issues: These issues could allow an attacker to obtain the values of environmental variables used within the HANA database, create directories (folders) of their choice, create files of their choice, lists the files within database and access sensitive information.
As noted by Onapsis in their analysis within this blog post the critical issues mentioned above are some of the most severe they have encountered since they allow the attacker unprecedented access to your database.
How Can I Protect Myself From These Issues?
To address the flaws within SAP HANA it is recommended to refer to the security advisories mentioned in this Onapsis blog post. Those 21 downloadable PDF advisories contain the necessary links to obtain patches from SAP for these issues.
In addition, Onapsis has published the first in a series of blog posts focused on improving the security of SAP HANA installations. They provide best practice advice for the configuration of this database as well as user privileges etc.
If you are in any doubt or would like further advice, please contact SAP Support for more information.