Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
cancel
Showing results for 
Search instead for 
Did you mean: 

On February 25, 2015, Onapsis released advisories for five SAP BusinessObjects Enterprise/Edge and SAP HANA vulnerabilities.  These vulnerabilities
were responsibly disclosed, allowing SAP to correct the vulnerabilities as quickly as possible.

Here is a summary of the advisories and more information around each. Of these five, three are considered "High Risk" and are exploited through the CORBA layer.

Vulnerabilities rated High:

Unauthorized Audit Information Delete via CORBA (CVE-2015-2075)

Exploiting this vulnerability would allow a remote unauthenticated attacker to delete audit information on the BI system before these events are written into the auditing database.

Resolution:
Details of the fix are available in SAP Note ID 2011396.  Please update your BusinessObjects BI 4.x  system to one of the following patches, or a subsequent patch or support pack:

  • BI 4.0 Patch 9.2
  • BI 4.0 SP10
  • BI 4.1 Patch 3.1
  • BI 4.1 SP04


SAP Note ID link: http://service.sap.com/sap/support/notes/2011396

Unauthorized File Repository Server Write via CORBA (CVE-2015-2074)

Exploiting this vulnerability would allow a remote unauthenticated attacker to overwrite files in the File Repository System (FRS), provided the attacker has knowledge of the report ID and path.  For example, “frs://Input/a_103/019/000/4967/1b14796c5b0d5f2c.rpt”.

Resolution:
Details of the fix are available in SAP Note ID 2018681.  Please update your BusinessObjects BI 4.x  system to the following support pack, or a subsequent patch or support pack:

  • BI 4.1 SP04

Note: Earlier versions of BI 4.x have a workaround, which is to configure the FRS to run in FIPS mode (add “-fips” to the command line arguments in the CMC) or enable CORBA SSL.

SAP Note ID link: https://service.sap.com/sap/support/notes/2018681


Unauthorized File Repository Server (FRS) Read via CORBA (CVE-2015-2073)


Exploiting this vulnerability would allow a remote unauthenticated attacker to be able to retrieve reports located on the FRS system, provided the attacker has knowledge of the report ID and path.  For example, “frs://Input/a_103/019/000/4967/1b14796c5b0d5f2c.rpt”.

Resolution:  Details of the fix are available in SAP Note ID 2018682.  Please update your BusinessObjects BI 4.x  system to the following support pack, or a subsequent patches or support packs:

  • BI 4.1 SP04

Note: Earlier versions of BI 4.x have a workaround, which is to configure the FRS to run in FIPS mode (add “-fips” to the command line arguments in the CMC) or enable CORBA SSL.


SAP Note ID Link: https://service.sap.com/sap/support/notes/2018682

Vulnerabilities rated Medium:

Multiple Cross Site Scripting Vulnerabilities in SAP HANA XS Administration Tool


Reflected cross site scripting vulnerabilities in this tool may allow an attacker to deface the application or harvest authentication information from users.


Resolution:  Details of the fix are available in SAP Note ID 1993349.  Please update your SAP HANA system to one of the following patches, or a later revision:

  • SAP HANA revision 72 (for SPS07)
  • SAP HANA revision 69 Patch 4 (for SPS06)


SAP Note ID Link:
https://service.sap.com/sap/support/notes/1993349


Unauthorized Audit Information Access via CORBA (CVE-2015-2076)


Exploiting this vulnerability would allow a remote unauthenticated user to gain access to audit events in a BI system.


Resolution:  Details of the fix are available in SAP Note ID 2011395.  Please update your BusinessObjects BI 4.x  system to one of the following patches, or a subsequent patch or support pack:

  • BI 4.0 Patch 9.2
  • BI 4.0 SP10
  • BI 4.1 Patch 3.1
  • BI 4.1 SP04


SAP Note ID Link: https://service.sap.com/sap/support/notes/2011395


I strongly recommend keeping up to date on patches and support packs in order to take advantage of the most recent security fixes, but also new features in the product. Each of the vulnerabilities affecting the BI Platform have been resolved in BI 4.1 SP04+. If you haven’t already, this is a good opportunity to build the business case for updating your environment. Vulnerabilities left unaddressed put your business users and data at risk.


Information regarding each of the BI support packs/patches, including Administration guides, release notes, fixed issues in each and known issues in each can be found at http://help.sap.com/bobi/.


Information regarding the latest revision of SAP HANA, including install guides, security information and Administration guides can be found at http://help.sap.com/hana, and choose the HANA link appropriate for your environment.


SAP’s security notes portal can be found here: https://support.sap.com/securitynotes

Other links of interest:


I am a new blogger to SCN, but I’ve been with Business Objects and then SAP for several years.   I’m interested in bringing more transparency around security topics to SCN, so I’m curious to know what the BI Platform community thinks about these types of posts, as well as anything else you’d like to see.


Please feel free to leave a comment below or contact me directly, I’d love to hear from you!

10 Comments