Security firm Onapsis has worked with SAP’s product security and engineering teams to patch several high-risk vulnerabilities discovered in HANA-based products, including HANA 2, S/4 HANA and HANA-based Cloud applications.
The vulnerabilities, which would allow an attacker to take full control of the HANA platform remotely without needing a username and password, affect a specific components called SAP HANA User Self Services, which was not enabled by default.
“This level of access would allow an attacker to perform any action over the business information and processes supported by HANA, including creating, stealing, altering and/or deleting sensitive information. If these vulnerabilities are exploited, organisations may face severe business consequences,” said Sebastian Bortnik, head of research, Onapsis.
“We hope organisations will use this threat intelligence to assess their systems and confirm that they are not currently using this component, and therefore are not affected by these risks. Even if the service is not enabled, we still recommend that these organisations apply the patches in case a change is made to the system in the future.”
Patches for the vulnerabilities are provided in SAP Security Note #2424173 ‘Vulnerabilities in the User Self-Service Tools of SAP HANA’ and Security Note #2429069.
The issues were originally discovered on the newly released SAP HANA 2 platform, but further analysis revealed that several older versions were also vulnerable, with the loopholes present since the User Self Service component was first released two-and-a-half years ago.
Onapsis CEO and co-founder Mariano Nunez said that SAP developed and released a patch very quickly compared to the company’s past vulnerability submissions.