Skip to Content

Archived discussions are read-only. Learn more about SAP Q&A

Question: Security Threat OSS Note 2067859

Good Afternoon All,

question, OSS Note 2067859 describes a security vulnerability, and if you read the OSS Note,

PLEASE do not quote the OSS Note here, just read it,

if you read the OSS Note it says in the Symptom...

     used by SAP NetWeaver Application Server (SAP NetWeaver AS) for ABAP and SAP HANA applications

we are debating, did the author intend this to mean,

a)

     SAP NetWeaver Application Server (SAP NetWeaver AS) for ABAP


          and


     SAP HANA applications


     (therefore meaning this vulnerability, if you have the described setup, would affect every ABAP Stack [regardless of db]

     in your landscape where you have that setup)


or, did the author intend this to mean,


b)


     SAP NetWeaver Application Server (SAP NetWeaver AS)


          for ABAP and (SAP) HANA (applications)


     (therefore meaning this vulnerability, if you have the described setup, would affect your systems where you

     have an ABAP Stack on Hana db)



What does the jury think, is it a) or b) ?


Please as requested do not publish here any more details from the OSS Note than have already been given.


Best regards,


Andy.

Tags:
replied

Julius, you are right, the main systems in scope are ABAP and HANA:

All systems which are using the SAPSECULIB, SAPCRYPTOLIB or CommonCryptoLib to create Digital Signatures using DSA are affected.


Such are: ABAP systems and HANA XS.


SAP AS Java including the SAP Portal is not affected as it is using an own cryptographic library. SAP Web Dispatcher, ICMAN, SAP Router, or Secure Login Client (SLC) are not directely affected, because DSA is not used in these products (assuming that you are using standard installations).


However, SAP recommends to replace the SAP Cryptographic Library versions of SAPSECULIB, SAPCRYPTOLIB or CommonCryptoLibthat in any case because of future use cases that might get impacted.


Kind regards

Frank Buchholz

5 View this answer in context

Helpful Answer

by
Not what you were looking for? View more on this topic or Ask a question