SAP HANA is a very fast growing product in many SAP environments, that has moved away from just an in-memory database to a complete application plus database system. In today’s blogpost we’ll talk about the SAP HANA internal communication interface, discuss its use in different scenarios, the configuration parameters involved and the different options that SAP HANA administrators should consider to secure their systems. We’ll also perform an analysis of the default configuration introduced in SPS 12 reviewing different parameters and how they impact overall security.
Today, Onapsis Research Labs released 15 advisories related to SAP HANA and some building components, as well as Internal Communication Channels (also known as TREXNet). This is the first launch of more than 40 advisories we will be publishing in the following month including several vulnerabilities we have discovered in business critical application such as SAP and Oracle. In this blogpost, we'll analyze two different vulnerabilities affecting SAP HANA.
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.
A few days ago, an important set of bugs that affect the suites of protocols TLS/SSL were published in https://www.smacktls.com/. These protocols are mainly used as the security layer underlying the HTTP(s) protocol, but many other protocols may be affected. The described vulnerabilities have received specific names: SKIP-TLS and FREAK.
Last week a new vulnerability was reported, affecting the GNU C library (glibc). This vulnerability affects a wide range of Linux distributions, among which are some supported by SAP products as stated in SAP Note 171356.
It's important to understand that even though this vulnerability does not directly affect any SAP application, it affects a lower layer, the operating system, allowing any application to potentially use the vulnerable function.
Today's post will be focused on analyzing the inner workings of the SAP CODVN H algorithm.
Before jumping into the algorithm's details I will highlight the most important features. For more information you can refer to the SAP security note 991968. The algorithm provides the following capabilities:
Last week we were doing some tests on the HANA XS engine trying to understand how an attacker could bypass the XSS filter provided by the ICM.
Hi! I was reviewing some events coming from the Security Audit Log and noticed an interesting behavior.
For those who never heard about it, the Security Audit Log (a.k.a SAL) allows SAP security administrators to keep track of the activities performed in their systems. In a future post we will discuss how to enable and configure it.
This week the Onapsis Research Labs released an advisory for a server-side code injection vulnerability in SAP HANA integrated IDE. For more information about the SAP Note that fixes this issue, please refer to the Onapsis Research Labs advisory. To define a reasonable exploitation scenario, we will assume the following conditions are met by our testing landscape:
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated. In order to provide a predictable and scheduled flow of vulnerability mitigation information and security patches, SAP releases their latest Security Notes information on the second Tuesday of every month.