SAP security fixes address Critical flaw in SAP HANA XSA

Pierluigi Paganini February 14, 2019

SAP released a collection of security fixes for February 2019 that address 13 vulnerabilities in its products, including a Hot News flaw in SAP HANA XSA.

This week SAP addressed 13 vulnerabilities in its products with the released of the February 2019 set of security fixes, including a Hot News flaw in SAP HANA Extended Application Services (XSA), advanced model.

SAP Security Patch Day for February 2019 includes 13 Security Notes and 3 updates to previously released security notes. 2 Notes are rated Hot News, 4 rated High priority, and 10 rated Medium priority.

“On 12th of February 2019, SAP Security Patch Day saw the release of 13 Security Notes. Additionally, there were 3 updates to previously released security notes.” reads the advisory published by SAP.

The fixes address flaw in the following SAP products: Business Client, HANA XSA, ABAP Platform (SLD Registration), Disclosure Management, Solution Tools Plug-In (ST-PI), Note Assistant, Business Objects, Manufacturing Integration and Intelligence, Business One Mobile Android App, and WebIntelligence BILaunchPad (Enterprise).

The most severe issue is a Hot News Notes (CVSS score of 9.8) that updates a Security Note released on April 2018 Patch Day and that includes security updates for the browser control Chromium delivered with SAP Business Client. 

“As mentioned, one of the two SAP Security Notes tagged as HotNews (#2742027) affects SAP HANA XSA (the other one is #2622660 that is regularly updated with Chromium security updates and was explained in a previous blog post). It is a classic Missing Authorization Check that may allow an attacker not only to read/modify/delete sensitive information, but also to gain high-privileged functionalities.” reads the analysis published by Onapsys.

“It affects XS Advanced selected versions in both SAP HANA 1 and SAP HANA 2 and can be patched by upgrading the XS Advanced component.”

The security updates include a Hot News Note for HANA XSA that addresses a missing authentication check that could be exploited by an attacker to gain access to high-privileged functionalities, including the ability to be able to read, modify, or delete sensitive information. 

The security vulnerability affects XS Advanced selected versions in SAP HANA 1 and SAP HANA 2.

To address the flaw, customers should upgrade the XS Advanced component. SAP also provided a workaround that consists of disabling the component, if not in use. 

The SAP Security Patch Day for February 2019 also addressed another issue in SAP HANA XSA that could lead Information Disclosure, it was rated Medium severity (CVSS score of 6.8). 

SAP addressed several High priority Security Notes including an XML External Entity (XXE) vulnerability in SLD Registration of ABAP Platform, Missing Authorization check in Disclosure Management, and access to Easy Access Menu in ABAP Platform. 

SAP also issued an update to a security note released on November 2014 Patch Day, a potential information disclosure relating to database server file system.

Below there is a summary, published by Onapsis, of the type of vulnerabilities that were addressed in February, including another six that were published in late January, after that month’s Security Notes Patch Day.

SAP HANA february
[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – SAP HANA, security)

[adrotate banner=”5″] [adrotate banner=”13″]



you might also like

leave a comment