THE EVOLUTION OF SAP HANA

HANA systems store and process the most critical business information
in an organization. If an SAP/HANA platform is breached, an intruder
would be able to perform different attacks such as:

ESPIONAGE SABOTAGE FRAUD

Obtain customers/vendors/human resources Paralyze the operation of the organization Modify financial information, tamper sales
data, financial planning information, balanc- by shutting down the SAP system, and purchase orders, create new vendors,
es, profits, sales information, manufacturing disrupting interfaces with other systems modify vendor bank account numbers, etc.
recipes, etc. and deleting critical information, etc.

CRITICAL VULNERABILITIES IN SAP HANA HAVE BEEN ON THE RISE!

As part of its release strategy, SAP has released several versions of SAP HANA over the years. Most of these critical
vulnerabilities reside in earlier versions of HANA Support Packages - SPS08 and SAP HANA SPS09.

THE EVOLUTION OF SAP HANA

First Version of HANA analyzed by

the Onapsis Research Labs MAY 2014
Critical Notes:
Top 3 critical advisories for SPS08 are related to XSS Server
Onapsis Research Labs consider SPS08 a mature version of SAP HANA that would
continue to be relevant for customers throughout the product's evolution. SAP HANA SPS09
Security Enhancements:
User/role Management, Encryption, Antivirus Software Support,
NOVEMBER 2014 Support for Multitenant Database Containers.
Critical Notes:
Potential information disclosure relating to server information
SAP HANA SPS10 (2148854), SAP HANA secure configuration of internal communication
Security Enhancements: (2165583), Potential remote code execution in HANA (2197428)
Control allowed access channels for users, Simplified certificate
management for SSL/TLS and single sign-on, Automatic generation
of PKI/certificates for internal communication channels, Additional JUNE 2015
hardening options for multitenant database container isolation.
Critical Notes:
Potential termination of running processes triggered by IMPORT
statement (2233136), Log injection and missing size restriction in
SAP HANA SPS11
SAP HANA Extended Application Services Classic (XS) (2241978), Security Enhancements:
Potential information leakage using default SSFS master key in Viewing key change information and switching data encryption on,
HANA (2183624), Communication encryption for HANA multitenant Automatic change of initial SSFS master keys, Extended SQL injection
database containers does not work as expected (2233550). prevention support.
Critical Notes:
NOVEMBER 2015 Missing communication security for SAP HANA daemon service
(2293958).

SAP HANA SPS12

Security Enhancements:
Authentication (Disabling Authentication Mechanisms), Enhanced
database trace information for authorization issues.
Critical Notes: MAY 2016
Information disclosure in CCMS agent of SAP HANA (2347944),
Information disclosure in SAP HANA cockpit for offline
administration (2351486), Information disclosure in SAP HANA XS
classic user self service (2394445).
SAP HANA 2
SAP is in the process of releasing SAP HANA 2. This is a major release
NOVEMBER 2016 for SAP and our Research Labs are in the process of discovering the
latest vulnerabilities for this release.

To ensure efficient protection, it is crucial to keep SAP HANA systems updated with the
latest patches, paying attention to those that are most critical .