Holey HANA! SAP patches 12 bugs
SAP, a German software company, has patched 12 holes in HANA, its memory management system. The holes, if left unpatched, could have led to SQL injection attacks, cross-site scripting and memory corruption.
The patch as well as the holes were reported by Onapsis, a security firm which discovered the vulnerabilities. The announcement released yesterday was not of their discovery, nor of their patching which had all been done months ago in April and May. The announcement was merely to tell consumers that the holes had been patched.
HANA, SAP's High-performance ANalytic Appliance, is a database management system that provides real-time intelligence to businesses
ThreatPost.com, a security website, reports that “perhaps the most pressing vulnerability the firm found could have let an attacker exploit multiple memory corruption vulnerabilities in its HDBSQL client to abuse management interfaces on the system”.
Other vulnerabilities, ThreatPost reports, “could have let a remote attacker read secret business information stored on the system and tweak certain parameters to lock other users out”.