-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Onapsis Security AdvisoryONAPSIS-2015-007: SAP HANA Log Injection
Vulnerability
Under certain conditions the SAP HANA XS engine is vulnerable to
arbitrary log
injection, allowing remote authenticated attackers to write arbitrary
information in log files.
This could be used to corrupt log files or add fake content misleading
an administrator.
Risk Level: Medium
SAP HANA is a platform for real-time business. It combines database,
data processing, and application platform capabilities in-memory. The
platform provides libraries for predictive, planning, text processing,
spatial, and business analytics.
Under certain conditions a remote authenticated attacker can inject log
lines performing specially crafted HTTP requests to the vulnerable SAP
HANA XS Engine.
The vulnerable application is βgrant.xsfuncβ, located under:
/testApps/grantAccess/grant.xscfunc
Implement SAP Security Note 2109818
2014-10-03: Onapsis provides vulnerability information to SAP AG.
2014-11-07: Onapsis provides additional information about the
vulnerability to SAP AG.
2015-01-26: Onapsis provides additional information about the
vulnerability to SAP AG.
2015-02-10: SAP AG publishes security note 2109818 which fixes the problem.
2015-05-27: Onapsis publishes security advisory.
Organizations depend on Onapsis because of our ability to provide
reliable expertise and solutions for securing business essentials
Onapsis Research Labs provides the industry analysis of key security
issues that impact business-critical systems and applications.
Delivering frequent and timely security and compliance advisories with
associated risk levels, Onapsis Research Labs combine in-depth knowledge
and experience to deliver technical and business-context with sound
security judgment to the broader information security community.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)
Comment: Onapsis Research Team
iEYEARECAAYFAlVmDLIACgkQz3i6WNVBcDUR4ACeK/opClwvxRdiTBODTGzuNT3T
mfQAoMb54pvOSeCMqeMjKokdsN/i8GNL
=JXst
-----END PGP SIGNATURE-----