View all newsletters
Receive our newsletter - data, insights and analysis delivered to you

SAP HANA vulnerabilities patched after critical flaws discovered

Onapsis discovered several high-risk vulnerabilities affecting SAP HANA platforms.

By Ellie Burns

SAP has patched a series of critical vulnerabilities in its cloud-based business platform HANA which could allow for a full system compromise without the need of a username and password.

Security firm Onapsis discovered various high-risk vulnerabilities affecting HANA-based products, including HANA 2, S/4 HANA and HANA-based Cloud applications.

The Onapsis Research Labs discovered over 500 vulnerabilities in SAP and Oracle business applications.

SAP released five HANA patches to fix a range of vulnerabilities uncovered in recent months. Of the five security notes, just two are rated with a very high and high criticality.

READ MORE: Google Cloud boosts business app credentials with SAP tie-up

The vulnerabilities affect a specific component, dubbed SAP HANA User Self Service, which is not enabled by default.

The vulnerability, which achieved a very high rank of 9.8 on the 10-point CVSS vulnerability assessing-scale, can allow an attacker to take control of the system.

SAP also fixed a security note 2429069, rated with a CVSS score of 8.8. The vulnerability could enable an attacker to elevate privileges by impersonating another user in the system.HPE, Cisco, Apple, SAP: Tech giants target the enterprise at MWC 2017

Content from our partners
Sherif Tawfik: The Middle East and Africa are ready to lead on the climate
What to look for in a modern ERP system
How tech leaders can keep energy costs down and meet efficiency goals

The issue only affects systems running SAP HANA 2.0 SPS 00 revision 0 that expose SAP HANA extended application services, classic model to an untrusted network.

Other bugs fixed include several denial of service conditions, cross site scripting bugs, and SQL injections.

Onapsis head of research Sebastian Bortnik said: “This level of access would allow an attacker to perform any action over the business information and processes supported by HANA, including creating, stealing, altering, and/or deleting sensitive information.

“If these vulnerabilities are exploited, organizations may face severe business consequences.”

SAP security lead Holger Mack said: “All security issues are fixed in SAP HANA revisions 122.7 or higher for SAP HANA 1.0 and revision 1 for SAP HANA 2.0 SPS 00. We expect very few SAP HANA customers to be affected by these issues.”

The security patches were developed by Onapsis and SAP’s product security & engineering teams.

Topics in this article : , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU