SAP Security Notes, February 2018
Note 2589129 addresses multiple high-risk vulnerabilities in HANA Extended Services Advanced (XSA) Server. XSA provides a development and runtime platform for HANA applications. XSA delivers improved reliability and scalability over HANA XS by providing separate runtime environments for applications. Applications operate in trust zones known as spaces. Applications deployed to the same space can share common resources such as data storage, user authorizations, and passwords. Permissions to manage spaces including domains and resources are granted through controller roles.
Note 2589129 recommends using HANA XSA patch level 1.0.70 in order to remove several authentication and authorization bypass vulnerabilities listed in the Note. This includes flaws in specific controller roles that could enable users to retrieve sensitive information. It also includes vulnerabilities that could enable unauthenticated or unauthorized users to read the system configuration using SQL statements and retrieve passwords from log files.
Note 2525222 includes automated corrections and manual instructions for high priority vulnerabilities in the SAP Internet Graphics Server (IGS). The vulnerabilities are caused by unrestricted file uploads that could be exploited to provoke a denial of service, perform cross-site scripting or log injection attacks, and leak sensitive data.
Lastly, Note 2565622 includes corrections to remove a broken authentication vulnerability that could enable attackers to access privileged functions or read and modify sensitive data in the SAP NetWeaver System Landscape Directory (SLD). The SLD supports landscape management and stores destination information used for system interfaces and the NetWeaver Development Infrastructure (NWDI).
