Description
This note addresses multiple vulnerabilities in SAP HANA Extended Application Services (Advanced Model):
Denial of Service (DOS)
Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model) to overload the server or retrieve information about internal network ports.
- CVE-2019-0363
- CVSS Score: 7.7; CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
Some well-known impacts of Denial of Service vulnerability are:
- long response delays and service interruptions, thus degrading the service quality experienced by legitimate users
- direct impact on availability
Internal Port Scanning
Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model) to enumerate open ports
- CVE-2019-0364
- CVSS Score: 5.0; CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N
Available fix and Supported packages
- SAP_EXTENDED_APP_SERVICES | 1 | 1
- SAP EXTENDED APP SERVICES 1 | SP000 | 000118
Affected component
- BC-XS-SEC
UAA and Security for HANA XSA engine
CVSS
Score: 7.7
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2817491
