Recent reports referring to “Heartbleed” (see more at http://heartbleed.com), describe a vulnerability that potentially affect a lot of hard and software vendors – and their customers! It is stated that the vulnerability could potentially allow an unauthenticated, remote attacker to retrieve memory from a connected client or server, using an Open SSL library. Due to a missing bounds check in the handling of the Transport Layer Security (TLS) heartbeat extension, an attacker could exploit this vulnerability. As a possible result, the disclosed portions of memory could contain sensitive information that may include private keys and passwords.
SAP takes any security-related report very seriously, and has immediately started an evaluation process to determine, if, which and how SAP product lines might be affected. The evaluation process is still ongoing since a multitude of application scenarios require a proper evaluation, quality measures and execution, but at the current state of investigations SAP has no indications that SAP HANA Platform is affected by this vulnerability.
Background: the SSL/TLS protocol can be used to encrypt communication between client and server of SAP HANA, or between SAP HANA servers. In order to encrypt client-server connection for JDBC/ODBC access of SAP HANA Database (or communication encryption in system replication scenarios), customers can choose to use OpenSSL as an alternative to the recommended CommonCryptoLib by SAP.
In case OpenSSL is selected and used, SAP HANA Platform uses the OpenSSL library, included and supported in the SUSE LINUX ENTERPRISE (SLES) 11distribution. SLES 11 distribution contains a version of SSL that is not affected by the Heartbleed vulnerability (see http://support.novell.com/security/cve/CVE-2014-0160.html).
Access via http (extended application services of SAP HANA) uses CommonCryptoLib from SAP and is therefore not affected by this vulnerability.
SAP will notify customers as new information on this topic becomes available.