SAP HANA HTTP Login Remote Code Execution Vulnerabilities

Summary

The Extended Application Services (aka XS or XS Engine) in SAP HANA DB 1.00.73.00.389160 (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to ‘HTTP Login,’.

Credit:

The information has been provided by Nahuel D. Sainchez.


Details

Vulnerable Systems:
 * SAP HANA Database 1.00.73.00.389160and earlier

Immune Systems:
 * SAP HANA Database 1.00.73.00.389160 and later

By sending a crafted HTTP packet to the SAP HANA XS Server, a remote unauthenticated attacker could fully compromise the platform executing arbitrary code or performing a denial of service, thus rendering the platform unavailable until the next process restart. SAP HANA DB version 1.00.73.00.389160 is affected.

CVE Information:
CVE-2015-7993

Disclosure Timeline:
Original release date: 11/10/2015
Last revised: 11/12/2015

Categories: News