Last week a quite bug
blast of Heartbleed bug started over
the internet and major media. The bug is serious vulnerability (CVE-2014-0160) within
OpenSSL cryptographic library. Issue is causing an access to (web) server using
OpenSSL library. Allowing potential attacker to read memory and by this gain
information that it is not intended to be provided. To see how what Heartbleed bug really is refer here. There are thousands of servers using the
library out on internet. Heartbleed bug has an impact on enterprise software as
it is very popular within enterprises as well; SAP software including.
Most of SAP solutions are
not using OpenSSL library but they use SAP
Cryptographic Library (it is called CommonCryptoLib in most recent
releases). As per SAP statement on SMP’s security page
there are no indications that major products like NetWeaver or HANA are
affected. However investigation is still ongoing. In case of BusinessObjects
solution there is even SAP Note “2003582 – How does
The Heartbleed Bug (OpenSSL vulnerability) affects SAP BusinessObjects Xi3.1
and Business Intelligence products 4/4.1“ provided. The Note discusses several BusinessObjects
solutions. As per the note BusinessObjects is not affected unless customers do
not enable SSL using APR in native tomcat library.
I would suggest to watch
SAP updates on this topic e.g. via Security Notes.
For full coverage of Heartbleed bug see following sites:
No comments:
Post a Comment