Monday, April 14, 2014

Heartbleed – bug in OpenSSL, is SAP affected?

Last week a quite bug blast of Heartbleed bug started over the internet and major media. The bug is serious vulnerability (CVE-2014-0160) within OpenSSL cryptographic library. Issue is causing an access to (web) server using OpenSSL library. Allowing potential attacker to read memory and by this gain information that it is not intended to be provided. To see how what Heartbleed bug really is refer here.  There are thousands of servers using the library out on internet. Heartbleed bug has an impact on enterprise software as it is very popular within enterprises as well; SAP software including.

Most of SAP solutions are not using OpenSSL library but they use SAP Cryptographic Library (it is called CommonCryptoLib in most recent releases). As per SAP statement on SMP’s security page there are no indications that major products like NetWeaver or HANA are affected. However investigation is still ongoing. In case of BusinessObjects solution there is even SAP Note2003582 – How does The Heartbleed Bug (OpenSSL vulnerability) affects SAP BusinessObjects Xi3.1 and Business Intelligence products 4/4.1“ provided. The Note discusses several BusinessObjects solutions. As per the note BusinessObjects is not affected unless customers do not enable SSL using APR in native tomcat library.

I would suggest to watch SAP updates on this topic e.g. via Security Notes.

For full coverage of Heartbleed bug see following sites:

No comments: