Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Data Protection

Multiple Vulnerabilities Found in SAP Enterprise Software

Researchers have uncovered several security holes in enterprise software solutions developed by German business software giant SAP.

Researchers have uncovered several security holes in enterprise software solutions developed by German business software giant SAP.

The vulnerabilities were identified by the research lab of Onapsis, a Boston-based company that provides security solutions for enterprise resource planning (ERP) systems. The firm published a total of seven advisories on Wednesday for flaws in SAP HANA (High-Performance Analytic Appliance), SAP BusinessObjects and SAP NetWeaver Business Warehouse.

According to Onapsis, one of the most serious issues is a high-risk, remotely-exploitable command injection vulnerability affecting the SAP HANA database management system, which could enable an unauthenticated attacker to completely compromise the SAP system and all the information it stores and processes. The vulnerability could expose information on customers, product pricing, employees, financial statements, business intelligence, supply chains, budgeting, planning and forecasting, depending on what the system is used for.

The security hole affects SAP HANA Developers Edition and versions that include the Developer IDE. It was reported to SAP back in February, but the company produced patches only in June, Onapsis said in its advisory.

SAP HANA is also plagued by several reflected cross-site scripting (XSS) flaws, which according to Onapsis, can be leveraged to attack other users of the system. These issues were reported in March and fixed in May.

The data warehouse product SAP NetWeaver Business Warehouse is missing an authorization check which could be remotely exploited by an authenticated attacker to access information that can be used to further attack the platform, Onapsis said.

The other vulnerabilities identified by Onapsis affect the business intelligence solution SAP Business Objects. Two of the issues are related to information disclosure, and one is a persistent XSS affecting the application’s “Send to Inbox” functionality. The most serious security hole is a denial-of-service (DoS) flaw that can be leveraged by a remote unauthenticated attacker to completely shut down the application. The SAP Business Object flaws were addressed in June, the advisories shows.

SAP users are advised to download the patches from the SAP Service Marketplace website.

“Our research is shared with vendors and partners, such as SAP, and trusted by users. We are experts in business application security and I would urge all SAP HANA and SAP BusinessObjects users to check our advisories and the remedial steps we share to protect their company’s most important data,” said Ezequiel Gutesman, director of research at Onapsis Research Labs.

“Our mission is to transform how organizations protect applications running on SAP platforms that manage business-critical processes and information,” noted Mariano Nunez, CEO of Onapsis. “Our differentiator is how we bring together security technology, expertise and analytics to uncover and prioritize the resolution of security gaps – and have delivered great value to over 130 of the world’s largest companies, organizations and most protected brands.”

 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Application Security

Cycode, a startup that provides solutions for protecting software source code, emerged from stealth mode on Tuesday with $4.6 million in seed funding.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Email Security

Microsoft is urging customers to install the latest Exchange Server updates and harden their environments to prevent malicious attacks.