Security Experts:

Multiple Vulnerabilities Found in SAP Enterprise Software

Researchers have uncovered several security holes in enterprise software solutions developed by German business software giant SAP.

The vulnerabilities were identified by the research lab of Onapsis, a Boston-based company that provides security solutions for enterprise resource planning (ERP) systems. The firm published a total of seven advisories on Wednesday for flaws in SAP HANA (High-Performance Analytic Appliance), SAP BusinessObjects and SAP NetWeaver Business Warehouse.

According to Onapsis, one of the most serious issues is a high-risk, remotely-exploitable command injection vulnerability affecting the SAP HANA database management system, which could enable an unauthenticated attacker to completely compromise the SAP system and all the information it stores and processes. The vulnerability could expose information on customers, product pricing, employees, financial statements, business intelligence, supply chains, budgeting, planning and forecasting, depending on what the system is used for.

The security hole affects SAP HANA Developers Edition and versions that include the Developer IDE. It was reported to SAP back in February, but the company produced patches only in June, Onapsis said in its advisory.

SAP HANA is also plagued by several reflected cross-site scripting (XSS) flaws, which according to Onapsis, can be leveraged to attack other users of the system. These issues were reported in March and fixed in May.

The data warehouse product SAP NetWeaver Business Warehouse is missing an authorization check which could be remotely exploited by an authenticated attacker to access information that can be used to further attack the platform, Onapsis said.

The other vulnerabilities identified by Onapsis affect the business intelligence solution SAP Business Objects. Two of the issues are related to information disclosure, and one is a persistent XSS affecting the application's "Send to Inbox" functionality. The most serious security hole is a denial-of-service (DoS) flaw that can be leveraged by a remote unauthenticated attacker to completely shut down the application. The SAP Business Object flaws were addressed in June, the advisories shows.

SAP users are advised to download the patches from the SAP Service Marketplace website.

"Our research is shared with vendors and partners, such as SAP, and trusted by users. We are experts in business application security and I would urge all SAP HANA and SAP BusinessObjects users to check our advisories and the remedial steps we share to protect their company’s most important data," said Ezequiel Gutesman, director of research at Onapsis Research Labs.

"Our mission is to transform how organizations protect applications running on SAP platforms that manage business-critical processes and information," noted Mariano Nunez, CEO of Onapsis. "Our differentiator is how we bring together security technology, expertise and analytics to uncover and prioritize the resolution of security gaps - and have delivered great value to over 130 of the world’s largest companies, organizations and most protected brands."


view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.