-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Onapsis Security Advisory ONAPSIS-2015-006: SAP HANA Information Disclosure via SQL IMPORT FROM statement 1. Impact on Business ===================== Under certain conditions some SAP HANA Database commands could be abused by a remote authenticated attacker to access information which is restricted. This could be used to gain access to confidential information. Risk Level: Medium 2. Advisory Information ======================= - - Public Release Date: 2015-05-27 - - Subscriber Notification Date: 2015-05-27 - - Last Revised: 2015-05-27 - - Security Advisory ID: ONAPSIS-2015006 - - Onapsis SVS ID: ONAPSIS-00142 - - CVE: CVE-2015-3995 - - Researcher: Sergio Abraham, Fernando Russ, Nahuel D. Sánchez - - Initial Base CVSS v2: 4 (AV:N/AC:L/Au:S/C:P/I:N/A:N) 3. Vulnerability Information ============================ - - Vendor: SAP A.G. - - Affected Components: SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) - - Vulnerability Class: Improper Access Control (CWE-284) - - Remotely Exploitable: Yes - - Locally Exploitable: No - - Authentication Required: Yes - - Original Advisory: http://www.onapsis.com/research/security-advisories/SAP-HANA-information - -disclosure-via-SQL-import-from-statement 4. Affected Components Description ================================== SAP HANA is a platform for real-time business. It combines database, data processing, and application platform capabilities in-memory. The platform provides libraries for predictive, planning, text processing, spatial, and business analytics. 5. Vulnerability Details ======================== A remote authenticated attacker, could access confidential information using specially crafted SQL statement which leads him to read arbitrary files from the OS through the database command READ FILE IMPORT available to be performed inside any SQL query. 6. Solution =========== Implement SAP Security Note 2109565 7. Report Timeline ================== 2014-10-18: Onapsis provides vulnerability information to SAP AG. 2014-10-19: SAP AG confirms having the information about the vulnerability. 2015-01-13: SAP AG publishes security note 2109565 which fixes the problem. 2015-05-27: Onapsis publishes security advisory. About Onapsis Research Labs =========================== Onapsis Research Labs provides the industry analysis of key security issues that impact business-critical systems and applications. Delivering frequent and timely security and compliance advisories with associated risk levels, Onapsis Research Labs combine in-depth knowledge and experience to deliver technical and business-context with sound security judgment to the broader information security community. -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) Comment: Onapsis Research Team iEYEARECAAYFAlVmDKgACgkQz3i6WNVBcDV+XgCeKE+ulvXCD/nuU4YshckzsSVd 6VsAoIAI/HV7lNQ+KyL52ssSBe2D+Zln =/P7V -----END PGP SIGNATURE-----