SAP HANA HTTP Login Remote Code Execution Vulnerabilities


The Extended Application Services (aka XS or XS Engine) in SAP HANA DB (NewDB100_REL) allows remote attackers to execute arbitrary code via unspecified vectors related to ‘HTTP Login,’.


The information has been provided by Nahuel D. Sainchez.


Vulnerable Systems:
 * SAP HANA Database earlier

Immune Systems:
 * SAP HANA Database and later

By sending a crafted HTTP packet to the SAP HANA XS Server, a remote unauthenticated attacker could fully compromise the platform executing arbitrary code or performing a denial of service, thus rendering the platform unavailable until the next process restart. SAP HANA DB version is affected.

CVE Information:

Disclosure Timeline:
Original release date: 11/10/2015
Last revised: 11/12/2015

Categories: News