An attacker can discover the host name of hosts running the SAP HANA Extended Application Services (SAP HANA XS) as well as the version of the SAP Web Dispatcher running on that host. This information could be used to allow the attacker to specialize their attacks against such hosts.
CVSS Base Score: 5.0
CVSS Base Vector: AV:N/AC:L/AU:N/C:P/I:N/A:N
SAP provides this CVSS base score as an estimate of the risk posed by the issue reported in this note. This estimate does not take into account your own system configuration or operational environment. It is not intended to replace any risk assessments you are advised to conduct when deciding on the applicability or priority of this SAP security note. For more information, see the FAQ section at https://service.sap.com/securitynotes/.
In the default configuration, information such as the host name of the host on which SAP HANA Extended Application Services (SAP HANA XS) is running as well as the version of the SAP Web Dispatcher running on that host can be discovered using an HTTP request.
This information may be used by an attacker to further target the operating system or software running on that host.
To prevent such information disclosure, you are advised to upgrade to SAP HANA revision 60 or higher.
In revisions below 60 the issue can be solved by setting the following profile parameter in file /usr/sap/<sid>/HDB<instnumber>/<host>/wdisp/sapwebdisp.pfl:
is/HTTP/show_detailed_errors = FALSE
Afterwards, process "sapwebdisp_hdb" needs to be restarted, for example by killing the process or by using the command "HDB restart".