on 11-12-2015 2:29 PM
Hello,
there have been some recent reports about security vulnerabilities in SAP HANA.
Not only that I'm shocked that they are so serious... It seems that with HANA One you can't patch them all.
I'm talking about Stuff like "Attackers could exploit SAP HANA Extended Application Services to enable them to take complete control of the product, including viewing, changing, or deleting data."
Related SAP Notes are:
http://service.sap.com/sap/support/notes/2197397
fixed in Rev. 92
http://service.sap.com/sap/support/notes/2148854
fixed in Rev. 97
http://service.sap.com/sap/support/notes/2197428
fixed in Rev. 102.01
This means we can't fix the last one since the latest HANA Version available in Addons section is Rev. 100.
When can we expect the upgrade? Why is there no notification about those vulnerabilities via email?
Best Regards,
Fabian
Hi Fabian,
We are in process of making 102 available. Meanwhile, we came across a problem.
During the upgrade, we did not correctly handled the 'merged statserver' case. Recently, by default, the servers are merged and also during the addon 100/102, we need to update the properties files.
We did not do that correctly.
We are working on getting it fixed.
We will release the 102 as soon as we can. Our current plan is to get it done in next two weeks.
Thanks
HANA One team
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
Thanks for this information Mandar.
Still the question is: Why is there no notification about those vulnerabilities via email?
I know you are able to send emails to HANA One Customers like you did with upgrade AMI Rev. 091.1 (from 70.0 and 80.0) , Portal Upgrade to 1.2 and HANA to 091.2 or the shellshock vulnerability.
This is the MINIMUM what we can expect. In my case, I found out about these vulnerabilities via google news! That's a shame.
If we know at least that those vulnerabilities exist, we can decide whether to restrict access via firewall, shut down the instance or live with the risk. I know we can't have the update on the same day as it's released. but a "we are working on it" as you wrote now would also tell us that you care about the problem...
Hi Fabian,
You raise some valid points. But let me explain a big difference:-
This forum and HANA One team is ONLY for the HANA One in AWS.
We don't provide any support for the main HANA issues on this forum. That is why we recommend you to post on HANA forum, HANA specific messages.
Sorry for this misunderstanding. Hope this clarifies the response issue.
For shellshock, the bug was overall env bug and NOT really HANA. It was on the instance we run HANA One. We did the due diligence on that.
BUT, we are thinking over some mechanism where we can provide info on the SAP notes to customers. It is technically much challenging to integrate from SAP property to AWS cloud.
Thanks for being very active and valuable customer!
HANA One Team
Bump!
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
User | Count |
---|---|
85 | |
10 | |
10 | |
9 | |
7 | |
6 | |
5 | |
5 | |
4 | |
3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.