Skip to Content

Question: Security Threat OSS Note 2067859

Good Afternoon All,

question, OSS Note 2067859 describes a security vulnerability, and if you read the OSS Note,

PLEASE do not quote the OSS Note here, just read it,

if you read the OSS Note it says in the Symptom...

     used by SAP NetWeaver Application Server (SAP NetWeaver AS) for ABAP and SAP HANA applications

we are debating, did the author intend this to mean,

a)

     SAP NetWeaver Application Server (SAP NetWeaver AS) for ABAP


          and


     SAP HANA applications


     (therefore meaning this vulnerability, if you have the described setup, would affect every ABAP Stack [regardless of db]

     in your landscape where you have that setup)


or, did the author intend this to mean,


b)


     SAP NetWeaver Application Server (SAP NetWeaver AS)


          for ABAP and (SAP) HANA (applications)


     (therefore meaning this vulnerability, if you have the described setup, would affect your systems where you

     have an ABAP Stack on Hana db)



What does the jury think, is it a) or b) ?


Please as requested do not publish here any more details from the OSS Note than have already been given.


Best regards,


Andy.

Add comment
10|10000 characters needed characters exceeded

  • Get RSS Feed

4 Answers

  • Best Answer
    avatar image
    Former Member
    Oct 17, 2014 at 12:30 PM

    My interpretation:

    All ABAP application server systems regardless of library.

    All HANA systems regardless of library.

    ...and all JAVA application servers which are not using the cryptolib -> ie. JAVA servers with seculib.

    The last sentence of the note is also important, incase you had trouble or disbelief in interpreting what you have to do there...Cheers,Julius
    Add comment
    10|10000 characters needed characters exceeded

  • Nov 11, 2014 at 11:47 AM

    POODLE

    Today the POODLE resolution  OSS Note has been published:

         2089135 - Upgrade OpenSSL to resolve the POODLE issue with the SSL 3.0 protocol


    and supporting Notes:

    SAP Note 2092630 – Turning off SSLv3 on SAP NETWEAVER AS ABAP and AS JAVA, and on SAP HANA XS

    SAP Note 2089135 – Upgrade OpenSSL to resolve the POODLE issue with the SSL 3.0 protocol

    SAP Note 2083444 – Impact of the POODLE vulnerability on SAP BusinessObjects software


    Best regards,


    Andy.

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 20, 2014 at 07:01 AM

    Hi @Frank Buchholz and Former Member

    thank you for joining this discussion so promptly and thank you for your expert feedback.

    I too received the email last week, but I interpreted the words incorrectly, and didn't make the extra effort to read the attachment to 2068693, had I done so I would have better understood the scope.

    Still, towards the end of last week, I was having doubts and as I would rather ask a question and be wrong than not ask, I put this question here, and am I thankful that I did so.

    To wrap up, thanks again, the message is clear, and we will act on it, and this thread will hopefully be useful to others, basically:

         DSA is out - we should all know that from our MS Active Directories which nolonger (Win2012)

         support DSA

         ABAP and Hana systems need an upgraded CryptoLib

         Java stacks which have ABAP certificates will need the certificates reimported

         Nice to have would be to upgrade the cryptolib on the Java stacks while you are at it, but

         this is not a pre-requisite

         The associated OSS Notes are:

                   note 2068693

                             Make sure to read the attachment to the Note, if you have

                             SolMan 7.1 SP10 or higher, there's a tool for checking dependencies

                   note 2067859

        

    Best regards,

    Andy.

    Add comment
    10|10000 characters needed characters exceeded

  • Oct 17, 2014 at 08:58 PM

    Does anyone know more technical details about this issue? I found this blog but section Technical Details lacks details :-). I am really interested in this. I thought that SAP is also suffering from POODLE CVE-2014-3566 but that really seems to be specific to OpenSSL.

    Cheers

    Add comment
    10|10000 characters needed characters exceeded

    • Former Member Andy Silvey

      Yes, we used to call it the "enterprise portal" at the time.

      All things need prototyping, I don't judge it. But there are still some out there.

      Cheers,

      Julius