Connect with us

Hi, what are you looking for?



SAP Patches Five Vulnerabilities in HANA Database Platform

SAP this week released another set of monthly security updates to address various issues in its products, including five vulnerabilities in SAP HANA, one of which was rated Hot News.

SAP this week released another set of monthly security updates to address various issues in its products, including five vulnerabilities in SAP HANA, one of which was rated Hot News.

The March 2017 SAP Security Patch Day includes 25 security notes, SAP announced. Additionally, there were two updates to previously released security notes, for a total of 27 SAP Security Notes released this month. One Security Note has a Very High priority rating, while other 7 were rated High severity.

According to ERPScan, a company that specializes in securing SAP and Oracle applications, the patch update includes 35 SAP Notes (28 SAP Security Patch Day Notes and 7 Support Package Notes), with 4 of the Notes released after the second Tuesday of the previous month, and 7 Notes being updates to previously released Security Notes.

The most important of the issues addressed this month was a Missing Authorization Check vulnerability in the SAP HANA User Self-Service. With a CVSS score of 9.8 (Very High), this critical bug could allow an attacker to take control of the affected system, SAP’s Holger Mack reveals.

The Self Service tool for SAP HANA provides the option to activate features such as password change, forgotten password reset, or user self-registration. The Hot News vulnerability could allow an unauthenticated attacker to impersonate other users, even those of high privileged accounts, security technology firm Onapsis explains. The attacker could take full control of the SAP HANA platform remotely.

According to SAP, however, the issue only affects customers who enabled the optional User Self Service component (it is disabled by default) and exposed it to an untrusted network. “The security note contains instructions on how to check if the User Self Service tool is enabled and how to protect the system by either updating or deactivating the affected service (if not needed anymore or as temporary measure),” Mack says.

With a CVSS score of 8.8 (High risk), the second most important flaw addressed this month (also discovered by Onapsis) was affecting SAP HANA as well: a session fixation vulnerability in SAP HANA extended application services, classic model. By exploiting it, an authenticated attacker could predict valid session IDs for concurrent users that are logged on to the system.

Advertisement. Scroll to continue reading.

The remaining three vulnerabilities in SAP HANA were also found by Onapsis: two SQL Injection vulnerabilities with a CVSSv3 Base Score of 2.7, and an information disclosure in SAP HANA Cockpit for offline administration, with a CVSSv3 Base Score of 4.9.

“The risk of these SAP HANA vulnerabilities is critical indeed. However, the likelihood of mass-exploitation is low as SAP HANA User Self-Service is enabled only on 13% internet-exposed SAP systems (according to a custom scan). There are numerous other services in SAP HANA, which are not enabled by default and susceptible to critical issues. For example, last month we helped SAP to close vulnerability with the same risk of remote authentication bypass but in other web service dubbed Sinopia,” Alexander Polyakov, CTO at ERPScan, says.

In addition to the aforementioned bug in SAP HANA, the High risk flaws patched this month include a Remote Code Execution (RCE) vulnerability in SAP GUI for Windows, Denial of service (DOS) in Visual Composer, Denial of service (DOS) in SAP Netweaver Dynpro Engine, Improved security for HTTP URL outgoing connections in SAP Netweaver, and an update to a previous Security Note.

The RCE (CVSS Base Score: 8.0) and two DOS flaws (CVSS Base Score: 7.5 each) were found by ERPScan, along with a Cross-Site Scripting (XSS) vulnerability in SAP Enterprise Portal (CVSS Base Score: 6.1) and a Denial of service vulnerability in SAP Java Script Engine (CVSS Base Score: 2.7).

A total of 11 XSS flaws were addressed this month, along with 7 missing authorization checks, 5 DOS issues, 4 SQL Injection vulnerabilities, 3 Information disclosure bugs, 2 Implementation flaws, 1 RCE, 1 XML external entity, and 1 session fixation.

Related: SAP Patches 22 Vulnerabilities With February 2017 Security Updates

Related: SAP Patches Multiple XSS and Missing Authorization Vulnerabilities

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.