SAP HANA is a very fast growing product in many SAP environments, that has moved away from just an in-memory database to a complete application plus database system. In today’s blogpost we’ll talk about the SAP HANA internal communication interface, discuss its use in different scenarios, the configuration parameters involved and the different options that SAP HANA administrators should consider to secure their systems. We’ll also perform an analysis of the default configuration introduced in SPS 12 reviewing different parameters and how they impact overall security.
Security Researcher Lead
Nahuel D. Sánchez leads the Security Research Team at Onapsis. His work focuses on performing extensive research of SAP products and its components, identifying and reporting security vulnerabilities, attack vectors and advanced exploitation techniques that are applicable to different platforms. Nahuel is one of the most frequent reporter of vulnerabilities in SAP products and has published several "SAP Security In-Depth" documents. He has presented in several security conferences around the world and delivered SAP Security Training several times in both conferences and big companies. He previously worked as a security consultant, evaluating the security of Web applications and as a Penetration Tester in several worldwide projects. His areas of interest include Web security, Reverse Engineering, and Business-Critical Applications Security.
Today, Onapsis Research Labs released 15 advisories related to SAP HANA and some building components, as well as Internal Communication Channels (also known as TREXNet). This is the first launch of more than 40 advisories we will be publishing in the following month including several vulnerabilities we have discovered in business critical application such as SAP and Oracle. In this blogpost, we'll analyze two different vulnerabilities affecting SAP HANA.
SAP is a complex and ever changing system, whether because of changes introduced to your SAP implementation to better suit your business or through the application of Security Notes (Patches) to ensure that newly disclosed vulnerabilities are mitigated.
Subscribe to our monthly newsletter, the Defender's Digest!