cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Recent security vulnerabilities - still no update available?

Go to solution
fabian_krger
Participant

on ‎11-12-2015 2:29 PM

0 Kudos

Hello,

there have been some recent reports about security vulnerabilities in SAP HANA.

Not only that I'm shocked that they are so serious... It seems that with HANA One you can't patch them all.

I'm talking about Stuff like "Attackers could exploit SAP HANA Extended Application Services to enable them to take complete control of the product, including viewing, changing, or deleting data."

Related SAP Notes are:

http://service.sap.com/sap/support/notes/2197397

fixed in Rev. 92

http://service.sap.com/sap/support/notes/2148854

fixed in Rev. 97

http://service.sap.com/sap/support/notes/2197428

fixed in Rev. 102.01

This means we can't fix the last one since the latest HANA Version available in Addons section is Rev. 100.

When can we expect the upgrade? Why is there no notification about those vulnerabilities via email?

Best Regards,

Fabian

Show replies
Show replies
Answer

Accepted Solutions (1)

Accepted Solutions (1)

Former Member
‎12-17-2015 7:15 PM
0 Kudos

Hi Fabian,

We are in process of making 102 available. Meanwhile, we came across a problem.

During the upgrade, we did not correctly handled the 'merged statserver' case. Recently, by default, the servers are merged and also during the addon 100/102, we need to update the properties files.

We did not do that correctly.

We are working on getting it fixed.

We will release the 102 as soon as we can. Our current plan is to get it done in next two weeks.

Thanks

HANA One team

Show replies
Show replies
fabian_krger
Participant
‎12-18-2015 9:31 AM
0 Kudos

Thanks for this information Mandar.

Still the question is: Why is there no notification about those vulnerabilities via email?

I know you are able to send emails to HANA One Customers like you did with upgrade AMI Rev. 091.1 (from 70.0 and 80.0) , Portal Upgrade to 1.2 and HANA to 091.2 or the shellshock vulnerability.

This is the MINIMUM what we can expect. In my case, I found out about these vulnerabilities via google news! That's a shame.

If we know at least that those vulnerabilities exist, we can decide whether to restrict access via firewall, shut down the instance or live with the risk. I know we can't have the update on the same day as it's released. but a "we are working on it" as you wrote now would also tell us that you care about the problem...

Former Member
‎12-18-2015 4:12 PM
0 Kudos

Hi Fabian,

You raise some valid points. But let me explain a big difference:-

This forum and HANA One team is ONLY for the HANA One in AWS.

We don't provide any support for the main HANA issues on this forum. That is why we recommend you to post on HANA forum, HANA specific messages.

Sorry for this misunderstanding. Hope this clarifies the response issue.

For shellshock, the bug was overall env bug and NOT really HANA. It was on the instance we run HANA One. We did the due diligence on that.

BUT, we are thinking over some mechanism where we can provide info on the SAP notes to customers. It is technically much challenging to integrate from SAP property to AWS cloud.

Thanks for being very active and valuable customer!

HANA One Team

Answers (1)

Answers (1)

fabian_krger
Participant
‎11-30-2015 2:49 PM
0 Kudos

Bump!

Show replies
Show replies
Ask a Question