CVE-2017-16680

Name of the Vulnerable Software and Affected Versions SAP HANA extended application services version 1.0

Description The issue involves two potential audit log injections in SAP HANA extended application services. Firstly, certain HTTP/REST endpoints of the controller service lack user input validation, allowing unprivileged attackers to forge audit log lines and potentially hinder or misdirect the interpretation of audit log files. Secondly, the User Account and Authentication component writes audit logs into syslog and a log file, but the log file entries miss escaping, which could also hinder or misdirect the interpretation of audit log files, while the syslog entries remain correct.

Recommendations For SAP HANA extended application services version 1.0, consider implementing user input validation for the affected HTTP/REST endpoints of the controller service to prevent audit log line forgery. Additionally, ensure proper escaping of audit log entries in the log file to prevent misinterpretation. As a temporary workaround, consider restricting access to the affected log files until a patch is available.