Connect with us

Hi, what are you looking for?



SAP Patches Bugs in Business Apps

SAP has patched two serious vulnerabilities affecting users of their SAP BASIS and SAP BusinessObjects enterprise software.

SAP has patched two serious vulnerabilities affecting users of their SAP BASIS and SAP BusinessObjects enterprise software.

The vulnerabilities were uncovered by researchers at security firm Onapsis. According to Onapsis, the most serious of the vulnerabilities impacts BusinessObjects users and can be used to potentially access and modify information stored on the SAP BusinessObjects server.

“SAP Business Objects allows a remote user, potentially using a Guest account if enabled, to perform CORBA calls to resources that should be restricted by correctly checking the privileges of the user performing the request,” Onapsis said in an advisory. “Using CORBA calls it is possible to escalate privileges from any valid user to System privileges in BusinessObjects. The System Account can perform any action in BusinessObjects. An unauthenticated attacker (if Guest user is enabled, so no credentials are required) can obtain the SI_PLATFORM_SEARCH_SERVER_LOGON_TOKEN via CORBA. This token can be used, also via CORBA, to perform actions as SYSTEM, thus escalating privileges.”

The vulnerability is remotely exploitable, and impacts BusinessObjects Edge 4.1.

Advertisement. Scroll to continue reading.

The second vulnerability is rated “high” by Onapsis and impacts authorization checks for SAP BASIS. If exploited successfully, the vulnerability enables an authenticated attacker to access background processing that automates routine tasks. If this process is tampered with, the attacker would be able to compromise the SAP system’s ability to properly run business-critical reports and programs, Onapsis notes.

“The Batch input Recorder is part of the SAP background processing which automates routine tasks and helps the user optimize his organization’s SAP computing resources,” according to the Onapsis advisory. “Using background processing, the user can tell the SAP System to run programs for him. Background processing lets the user move long-running or resource-intensive program runs to times when the system load is low. It also lets the user delegate to the system the task of running reports or programs. Transaction SHDB (batch input recorder) does not perform any authority check to display recordings performed by any user.”

The issue impacts SAP NetWeaver 7.00, 7.01, 7.02, 7.10, 7.11, 7.20, 7.30, 7.31 and 7.40.

“Advanced threats targeting SAP systems that run business-critical applications are increasing at an alarming rate,” said Ezequiel Gutesman, director of research at Onapsis Research Labs, in a statement. “These security advisories are the latest example of how key systems are vulnerable to attack and have to be a main focus of an organization’s security strategy. Additionally, it is now an executive imperative to understand the risks associated with SAP security posture and potential business impact.” 

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

IoT Security

A vulnerability affecting Dahua cameras and video recorders can be exploited by threat actors to modify a device’s system time.