SAP Products and OpenSSL Heartbleed
There has been a lot of discussion last week about CVE-2014-0160, also known as the Heartbleed vulnerability. For those unfamiliar with the vulnerability I recommend heartbleed.com and, for a light hearted explanation, XKCD. Along with impacting a good chunk of the Internet it has also taken a toll on a number of products including those from Cisco, VMWare, and Oracle to name just a few. As you can imagine we have been watching the issue pretty closely and performing testing in our lab in order to better understand the impact, if any to SAP and its customers. Here is our current understanding on the status of some of SAP's products:
- As posted on the SAP Community Network, SQL Anywhere Server, Mobilink Server, and Relay Server Outbound are vulnerable (http://scn.sap.com/community/sql-anywhere/blog/2014/04/11/openssl-heartbleed-and-sql-anywhere).
- SAP BusinessObjects Enterprise XI3.1 and SAP BusinessObjects Business Intelligence BI4.x. As discussed in SAP Support Note 2003582 (http://service.sap.com/sap/support/notes/2003582), BusinessObjects is not vulnerable with the exception of the case where the SSL using APR native Tomcat library has been enabled and the underlying OS uses a vulnerable OpenSSL library. The SCN has a great post with more information, http://scn.sap.com/community/bi-platform/blog/2014/04/11/testing-for-heartbleed-vulnerability-for-the-bi-platform.
- SAP HANA Cloud Appliance. The HANA Cloud Application (cal.sap.com) does not ship with a vulnerable version of OpenSSL. In our testing we found that by default it uses OpenSSL 0.9.8j.
- SAP Netweaver and SAP HANA. According to the SAP security team there are "no indications that SAP NetWeaver and SAP HANA are affected" but this is still under investigation. (https://websmp108.sap-ag.de/~sapidb/011000358700000308332014E/).
On behalf of our customers and the SAP community in general we will continue to apply time and resources to investigating the impact of the Heartbleed vulnerability on SAP products.