Skip links
RedRays - Your SAP Security Solution
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Security on Udemy

CVE-2019-0363 Multiple security vulnerabilities in SAP HANA Extended Application Services (Advanced Model), SAP security note 2817491

Description

This note addresses multiple vulnerabilities in SAP HANA Extended Application Services (Advanced Model):

Denial of Service (DOS)

Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model) to overload the server or retrieve information about internal network ports.

  • CVE-2019-0363
  • CVSS Score: 7.7; CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

Some well-known impacts of Denial of Service vulnerability are:

  • long response delays and service interruptions, thus degrading the service quality experienced by legitimate users
  • direct impact on availability    

Internal Port Scanning 

Attackers may misuse an HTTP/REST endpoint of SAP HANA Extended Application Services (Advanced model) to enumerate open ports

  • CVE-2019-0364
  • CVSS Score: 5.0; CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:N/A:N

 

Available fix and Supported packages

  • SAP_EXTENDED_APP_SERVICES | 1 | 1
  • SAP EXTENDED APP SERVICES 1 | SP000 | 000118

Affected component

    BC-XS-SEC
    UAA and Security for HANA XSA engine

CVSS

Score: 7.7
CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:N/A:H

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2817491

TAGS

#&65279-DoS
#DDoS
#Distributed-Denial-of-Service
#Uncontrolled-Resource-consumption
#Resource-Exhaustion
#Port-Scanning
#CVE-2019-0363
#&160-CVE-2019-0364

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series. 

JOIN