SAP Business One Security Recommendations on Avoiding Risks of Potential Remote Code Execution in SAP HANA

 SymptomSAP HANA has disclosed two security issues about the

Attackers could exploit the SAP HANA SQL interface or SAP HANA Extended Application Services (XS) to enable them to take complete control of the product, including viewing, changing, or deleting data.
SAP HANA SQL Interface
This issue is relevant for users of SAP Business One 9.0, version for SAP HANA & SAP Business One 9.1, version for SAP HANA running on any HANA revision lower than 97.02. know more sap security online training
CVSS Information
CVSS Base Score: 9.3 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range)Network (N)AC : Access Complexity (Required attack complexity)Medium (M)Au : Authentication (Level of authentication needed to exploit)None (N)C : Impact to ConfidentialityComplete (C)I : Impact to IntegrityComplete (C)A : Impact to AvailabilityComplete (C)SAP HANA Extended Application Services (XS)
This issue is relevant for users of SAP Business One 9.0, version for SAP HANA & SAP Business One 9.1, version for SAP HANA running on any HANA revision lower than 85.4.
CVSS Information
CVSS Base Score: 9.3 / 10
CVSS Base Vector:
AV : Access Vector (Related exploit range)Network (N)AC : Access Complexity (Required attack complexity)Medium (M)Au : Authentication (Level of authentication needed to exploit)None (N)C : Impact to ConfidentialityComplete (C)I : Impact to IntegrityComplete (C)A : Impact to AvailabilityComplete (C)SAP provides the CVSS base score as an estimate of the risk posed by the issue reported in this note. This estimate does not take into account your own system configuration or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For more information, see the FAQ section at https://support.sap.com/securitynotes.

CauseA buffer overflow vulnerability exists in some revisions of the SAP HANA Extended Application Services. If an attacker has network access to the HTTP interface of SAP HANA Extended Application Services, the vulnerability might enable an attacker to inject code into the working memory that is subsequently executed by the application. It can also be used to cause a general fault in the product, causing the product to terminate.know more sap security online training

SolutionThe issue about the SAP HANA SQL interface is fixed with revision 102.01 (for SPS10) and 97.03 (for SPS09). The issue about SAP HANA Extended Application Services (XS) is fixed with revision 92 (for SPS09) and 85.05 (for SPS08); SPS10 is not affected.
For SAP Business One, version for SAP HANA customers, please do the following:

  1. Upgrade SAP HANA to Revision 97.
  2. Upgrade SAP Business One, version for SAP HANA to 9.1 PL09.
  3. Use a whitelist to allow only trusted IP addresses to access the SAP HANA SQL interface (3<InstanceNumber>15), as follows:
    1. Log on as root to your SAP HANA server.
    2. Create a whitelist, as follows:
      1. Create an ACCEPT rule, using this command: iptables -A INPUT -p tcp -s <AcceptedIP>--dport 3<InstanceNumber>15 -j ACCEPT
        For example: iptables -A INPUT -p tcp -s 192.168.0.10 --dport 30015 -j ACCEPT
      2. Repeat the above step for each IP address that you allow access to the target SAP HANA SQL interface.
    3. To ensure only trusted IP addresses have access, create a default DROP rule, using this command: iptables -A INPUT -p tcp --dport 3<InstanceNumber>15 -j DROP
      For example: iptables -A INPUT -p tcp --dport 30015 -j DROP
    4. If you want to delete a rule, execute this command: iptables -D INPUT <CurrentPositionInRuleList>
      For example: iptables -D INPUT 1
    5. To check the access control list, execute this command: iptables --listCaution: The default DROP rule must be the last line in the access control list.

If you prefer to adopt an SAP HANA version which fixes both security issues, you may upgrade to SAP HANA 97.03 and upgrade SAP Business One, version for SAP HANA to 9.1 PL09. However, you must be aware that KPIs and dashboards based on calculation views do not work properly on Revision 97.03. While you can still use the existing KPIs and dashboards, you cannot edit them or create new KPIs or dashboards. The impacted KPIs and dashboards delivered by SAP Business One are as follows:know more sap security online training

  • KPIs:
    • Total Assets
    • Total Liabilities
    • Total Equity
    • Net Sales Revenue
    • Net Cash Flow (Operating)
    • Net Cash Flow (Investment)
    • Net Cash Flow (Financial)
    • Cash
    • Accounts Receivable
    • Accounts Payable
    • Inventory
    • COGS
    • Total Current Assets
    • Total Current Liabilities
    • Operating Cost
    • Expense 1
    • Expense 2
    • Net Cash Flow
    • Receivables Overdue
    • Payables Overdue
  • Dashboards
    • Aging of Receivables Overdue (10-Day Interval)
    • Aging of Payables Overdue (10-Day Interval)
    • Top 5 Customers by Receivables Overdue
    • Top 5 Vendors by Payables Overdue

Notes:As best practices, we recommend the following:
- Never expose your SAP HANA server to the Internet; in other words, no Internet IP addresses should have access to your SAP HANA server.
- Never map the SAP HANA SQL interface port to the Internet.
- For Internet user access, we strongly recommend that you use a firewall or the IP table to block untrusted access.

SAP intends to provide a patch or patches in order to solve the problem described.
The section Reference to Related Notes below will list the specific patches once they become available.
The corresponding Info file of the patches in SAP Service Marketplace will also show the SAP Note number.
Be aware that these references can only be set at patch release date.
SAP will deliver patches only for selected releases at its own discretion, based on the business impact and the complexity of the implementation.know more sap security online training

Other terms

Buffer overflow, RCE, remote code execution, SAP HANA Extended Application Services, HANA XS

Comments

Post a Comment

Popular posts from this blog

CoCalc Docker image linux toools

  Quickstart on a Linux server Make sure you have at least 15GB disk space free and Docker installed. Run docker run --name=cocalc -d -v ~/cocalc:/projects -p 443:443 sagemathinc/cocalc Wait a few minutes for the image to pull, decompress and the container to start, then visit  linux training For other operating systems and way more details, see below. What is this? Run CoCalc for free for a small group on your own server! This is a free open-source multiuser CoCalc server that you can  very easily  install on your own computer or server using Docker. If you need something to install on a cluster of servers using Kubernetes, see cocalc-kubernetes. LICENSE AND SUPPORT: Much of this code is licensed under the AGPL condition to the commons clause exception. If you would instead like a business-friendly MIT license instead, please contact help@cocalc.com, and we will sell you a 1-year license for $999, which includes some support (you can pay more for significant support...
Read more

Data Science Interview Questions

  Q.What do you mean by word Data Science? Ans:  Data Science is the extraction of knowledge from large volumes of data that are structured or unstructured, which is a continuation of the field data mining and predictive analytics, It is also known as knowledge discovery and data mining . know more  data science training Q.Explain the term botnet? Ans:  A botnet is a a type of bot running on an IRC network that has been created with a Trojan. Q.What is Data Visualization? Ans:   Data visualization is a common term that describes any effort to help people understand the significance of data by placing it in a visual context. Q.How you can define Data cleaning as a critical part of process? Ans:   Cleaning up data to the point where you can work with it is a huge amount of work. If we’re trying to reconcile a lot of sources of data that we don’t control like in this flight, it can take 80% of our time. Q.Point out 7 Ways how Data Scientists use Statistics? An...
Read more