-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Onapsis Security AdvisoryONAPSIS-2015-007: SAP HANA Log Injection
Vulnerability

1. Impact on Business
   =====================

Under certain conditions the SAP HANA XS engine is vulnerable to
arbitrary log
injection, allowing remote authenticated attackers to write arbitrary
information in log files.
This could be used to corrupt log files or add fake content misleading
an administrator.

Risk Level: Medium

2. Advisory Information
   =======================

• • Public Release Date: 2015-05-27
• • Subscriber Notification Date: 2015-05-27
• • Last Revised: 2015-05-27
• • Security Advisory ID: ONAPSIS-2015-007
• • Onapsis SVS ID: ONAPSIS-00140
• • CVE: CVE-2015-3994
• • Researcher: Fernando Russ, Nahuel D. Sanchez
• • Initial Base CVSS v2: 4.0 (AV:N/AC:L/Au:S/C:N/I:P/A:N)

3. Vulnerability Information
   ============================

• • Vendor: SAP A.G.
• • Affected Components: SAP HANA DB 1.00.73.00.389160 (NewDB100_REL)
• • Vulnerability Class: Improper Output Neutralization for Logs (CWE-117)
• • Remotely Exploitable: Yes
• • Locally Exploitable: No
• • Authentication Required: Yes
• • Original Advisory:
    http://www.onapsis.com/research/security-advisories/SAP-HANA-log-injection-vulnerability-in-extended-application-services

4. Affected Components Description
   ==================================

SAP HANA is a platform for real-time business. It combines database,
data processing, and application platform capabilities in-memory. The
platform provides libraries for predictive, planning, text processing,
spatial, and business analytics.

5. Vulnerability Details
   ========================

Under certain conditions a remote authenticated attacker can inject log
lines performing specially crafted HTTP requests to the vulnerable SAP
HANA XS Engine.

The vulnerable application is “grant.xsfunc”, located under:

        /testApps/grantAccess/grant.xscfunc

6. Solution
   ===========

Implement SAP Security Note 2109818

7. Report Timeline
   ==================

2014-10-03: Onapsis provides vulnerability information to SAP AG.
2014-11-07: Onapsis provides additional information about the
vulnerability to SAP AG.
2015-01-26: Onapsis provides additional information about the
vulnerability to SAP AG.
2015-02-10: SAP AG publishes security note 2109818 which fixes the problem.
2015-05-27: Onapsis publishes security advisory.
Organizations depend on Onapsis because of our ability to provide
reliable expertise and solutions for securing business essentials

About Onapsis Research Labs

Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Onapsis Research Team

iEYEARECAAYFAlVmDLIACgkQz3i6WNVBcDUR4ACeK/opClwvxRdiTBODTGzuNT3T
mfQAoMb54pvOSeCMqeMjKokdsN/i8GNL
=JXst
-----END PGP SIGNATURE-----