Question: Security Threat OSS Note 2067859
Good Afternoon All,
question, OSS Note 2067859 describes a security vulnerability, and if you read the OSS Note,
PLEASE do not quote the OSS Note here, just read it,
if you read the OSS Note it says in the Symptom...
used by SAP NetWeaver Application Server (SAP NetWeaver AS) for ABAP and SAP HANA applications
we are debating, did the author intend this to mean,
SAP NetWeaver Application Server (SAP NetWeaver AS) for ABAP
SAP HANA applications
(therefore meaning this vulnerability, if you have the described setup, would affect every ABAP Stack [regardless of db]
in your landscape where you have that setup)
or, did the author intend this to mean,
SAP NetWeaver Application Server (SAP NetWeaver AS)
for ABAP and (SAP) HANA (applications)
(therefore meaning this vulnerability, if you have the described setup, would affect your systems where you
have an ABAP Stack on Hana db)
What does the jury think, is it a) or b) ?
Please as requested do not publish here any more details from the OSS Note than have already been given.
Frank Buchholz replied
Julius, you are right, the main systems in scope are ABAP and HANA:
All systems which are using the SAPSECULIB, SAPCRYPTOLIB or CommonCryptoLib to create Digital Signatures using DSA are affected.
Such are: ABAP systems and HANA XS.
SAP AS Java including the SAP Portal is not affected as it is using an own cryptographic library. SAP Web Dispatcher, ICMAN, SAP Router, or Secure Login Client (SLC) are not directely affected, because DSA is not used in these products (assuming that you are using standard installations).
However, SAP recommends to replace the SAP Cryptographic Library versions of SAPSECULIB, SAPCRYPTOLIB or CommonCryptoLibthat in any case because of future use cases that might get impacted.