SAP HANA Forum
An potential attacker can perform malicious calls of the debug functions of the SAP HANA Extended Application Services Classic (XS).
Kindly let me kmow the reason behind this with a proper solution.
Thanks in advance.
An unauthenticated attacker might be able to create specially crafted HTTP requests to SAP HANA Extended Application Services Classic debug function.
This can lead to forged additional entries in the trace files of the XS process and consume disk space of the HANA system. The additional space consumption is limited due to the trace file rotation which is enabled by default in SAP HANA systems (see the SAP HANA Administration Guide for details).
In addition specially crafted HTTP requests can consume the available memory buffers and lead to a crash of the XS process. The XS process will be restarted automatically by the SAP HANA system.
Existing data cannot be changed or read by this vulnerability.
The debug function has been improved with SAP HANA revision 102.02 for SPS10 or later. Update to this or a later version. SPS 11 is not affected.
Workaround: The internal HANA Web Dispatcher can be used to block debugger requests.
To achieve this, add the parameter icm/HTTP/auth_1 with the content PREFIX=/sap/hana/xs/debugger, PERMFILE=/dev/null in the webdispatcher.ini configuration section [profile]. As an alternative, you can block access to the URLs /sap/hana/xs/debugger/* on network layer (e.g. with a firewall or reverse proxy).
Please be aware that with this workaround the debugging of SAP HANA Extended Application Services (XS) will not be available (including the XS debugging via SAP HANA Studio).
Sign up for STechies