Click here to close now.




















Welcome!

News Feed Item

Onapsis Research Labs Releases Six New Critical Security Advisories for Companies Using SAP

Latest Threats Target Key Administration Capabilities for SAP HANA and Allow Remote Attackers to Access Restricted Functionality to Gain Access to Any Organization's Secure Information

CAMBRIDGE, MA--(Marketwired - July 30, 2014) - Onapsis, Inc., a leading provider of solutions and research to audit and mitigate advanced threats targeting business-critical applications including Enterprise Resource Planning (ERP), Supply Chain Management (SCM), Finance and Accounting, Human Capital Management and Business Intelligence (BI), has released six new security advisories for SAP users. With more than 250,000 SAP installations in 188 countries, numerous organizations across the world could be impacted by the highlighted vulnerabilities.

The security advisories come from Onapsis Research Labs which continuously investigates, detects and reports exploitable vulnerabilities. The advisories enable vendors to prioritize patches and updates, while Onapsis customer and partner communities benefit from real-time analysis. Onapsis security advisories, together with vendor patches and security notes, are available for download to provide vendors and end-users with the information to mitigate advanced threats.

Onapsis Research Labs experts will be at Black Hat USA 2014 in Las Vegas from August 2-7 (booth #1131) to brief front-line security practitioners on the latest SAP advisories and discuss best practices for mitigating advanced threats. Onapsis customers will gain deep insight into the advisories from the Onapsis Security Research team during the company's exclusive annual customer advisory council on August 4 at the MGM Grand.

"We advise all SAP users to review our advisories and ensure that their systems are protected from the latest threats," said Juan Perez-Etchegoyen, CTO of Onapsis. "Ignored vulnerabilities may compromise SAP systems, but as experts in business critical application security we work to secure and protect systems while continuously monitoring for future vulnerabilities. Our customers receive instant access to fixes and have an advantage over other organizations that fail to protect their 'Crown Jewels'."

The following advisories have been released by experts at Onapsis Research Labs to alert vendors and user communities of the cyber-security risks affecting their business critical systems. Administrators, owners and users can sign up for alerts by clicking here.

  1. Multiple cross-site scripting vulnerabilities in SAP HANA XS Administration Tool
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N)
  • Affected components: SAP HANA XS Administration Tool, a web application used to administer and maintain the HANA XS Engine
  • Details: Functions within SAP HANA XS Administration Tool do not sufficiently encode or filter output parameters, resulting in a reflected cross-site scripting vulnerability. A reflected cross-site scripting attack can be used to temporarily deface or modify displayed content for targeted users of the website
  • Solution: SAP has released SAP Note 1993349 to provide patched versions of the affected components
  1. SAP HANA IU5 SDK authentication bypass
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
  • Affected components: SAP HANA Extended Application Services
  • Details: SAP HANA Extend Application Services (XL) based applications can be set to have 'public' access (i.e. no authentication required). Despite this configuration changing to 'non-public' in the SAP HANA IU5 SDK Application, no authentication is needed to access these applications, which still allow public access
  • Solution: SAP has released SAP Note 1964428 to provide patched versions of the affected components
  1. SAP HANA XS missing encryption in form-based authentication
  • Onapsis risk level assessment: Low (one out of four)
  • Initial Base CVSS v2: 2.9 (AV:A/AC:M/AU:N/C:P/I:N/A:N)
  • Affected components: SAP HANA Extended Application Services. SAP HANA does not enforce any encryption in form-based authentication, enabling anonymous users to get information such as valid credentials from captured network traffic and gain access to the system
  • Details: SAP HANA Extend Application Services (XS) based applications can be set to 'form based authentication' access using SSL. When this configuration is set, the authentication mechanism does not properly enforce the required level of encryption
  • Solution: SAP has released SAP Note 1963932 to provide patched versions of the affected components
  1. HTTP verb tampering issue in SAP_JTECHS
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
  • Affected components: SAP Solution Manager 7.1
  • Details: License Measurement Servlet is prone to verb tampering attacks, allowing remote unauthenticated attackers to access restricted functionality. Technical details of this issue are still pending with the purpose of providing time for affected customers to apply the SAP Security Note.
  • Solution: SAP has released SAP Note 1778940 to provide patched versions of the affected components
  1. Hard-coded user name in SAP FI Manager Self-Service
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
  • Affected components: SAP FI Manager allows management employees to perform their tasks and decision processes using different services and applications from a central location
  • Details: The program contains a hard-coded user name that changes the system's behavior if a user is successfully authenticated. This user may gain access to additional information that should not be displayed
  • Solution: SAP has released SAP Note 1929473 to provide patched versions of the affected components. Download: https://service.sap.com/sap/support/notes/1920323
  1. Missing authorization check in function modules of BW-SYS-DB-DB4
  • Onapsis risk level assessment: Low (one out of four)
  • Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N)
  • Affected components: SAP Netweaver Business Warehouse component
  • Details: A remote authenticated attacker could execute the vulnerable RFC functions in function group BW-SYS-DB-DB4. These do not check for authorizations and would allow the attacker to obtain sensitive information regarding the target application server
  • Solution: SAP has released SAP Note 1974016 to provide patched versions of the affected components

    About Onapsis
    Onapsis Inc. is the leading provider of cyber security solutions to audit and protect business-critical applications including Enterprise Resource Planning (ERP), Supply Chain Management (SCM) and Business Intelligence (BI). Onapsis solutions empower information security and audit professionals to understand and efficiently mitigate the cyber security risks affecting their SAP, Oracle and other business-critical applications, preventing espionage, sabotage and financial fraud attacks while streamlining compliance with internal and regulatory requirements.

    As the industry standard, trusted by the leading audit firms and deployed by Global 1000 and military organizations, Onapsis X1 is the most widely-used solution to detect cyber security risks and compliance violations affecting SAP business platforms. Unmatched by generic security monitoring products, Onapsis X1's unique SAP-certified capabilities integrate seamlessly into existing GRC and Risk Management practices, providing unprecedented visibility to protect critical business processes. At the heart of the company, the Onapsis Research Labs consists of the thought-leaders that continue to redefine the ERP security industry.

    For more information please visit www.onapsis.com and follow us on Twitter: @onapsis

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.

Latest Stories
Puppet Labs has announced the next major update to its flagship product: Puppet Enterprise 2015.2. This release includes new features providing DevOps teams with clarity, simplicity and additional management capabilities, including an all-new user interface, an interactive graph for visualizing infrastructure code, a new unified agent and broader infrastructure support.
For IoT to grow as quickly as analyst firms’ project, a lot is going to fall on developers to quickly bring applications to market. But the lack of a standard development platform threatens to slow growth and make application development more time consuming and costly, much like we’ve seen in the mobile space. In his session at @ThingsExpo, Mike Weiner, Product Manager of the Omega DevCloud with KORE Telematics Inc., discussed the evolving requirements for developers as IoT matures and conducte...
Container technology is sending shock waves through the world of cloud computing. Heralded as the 'next big thing,' containers provide software owners a consistent way to package their software and dependencies while infrastructure operators benefit from a standard way to deploy and run them. Containers present new challenges for tracking usage due to their dynamic nature. They can also be deployed to bare metal, virtual machines and various cloud platforms. How do software owners track the usag...
Explosive growth in connected devices. Enormous amounts of data for collection and analysis. Critical use of data for split-second decision making and actionable information. All three are factors in making the Internet of Things a reality. Yet, any one factor would have an IT organization pondering its infrastructure strategy. How should your organization enhance its IT framework to enable an Internet of Things implementation? In his session at @ThingsExpo, James Kirkland, Red Hat's Chief Arch...
Providing the needed data for application development and testing is a huge headache for most organizations. The problems are often the same across companies - speed, quality, cost, and control. Provisioning data can take days or weeks, every time a refresh is required. Using dummy data leads to quality problems. Creating physical copies of large data sets and sending them to distributed teams of developers eats up expensive storage and bandwidth resources. And, all of these copies proliferating...
Malicious agents are moving faster than the speed of business. Even more worrisome, most companies are relying on legacy approaches to security that are no longer capable of meeting current threats. In the modern cloud, threat diversity is rapidly expanding, necessitating more sophisticated security protocols than those used in the past or in desktop environments. Yet companies are falling for cloud security myths that were truths at one time but have evolved out of existence.
Digital Transformation is the ultimate goal of cloud computing and related initiatives. The phrase is certainly not a precise one, and as subject to hand-waving and distortion as any high-falutin' terminology in the world of information technology. Yet it is an excellent choice of words to describe what enterprise IT—and by extension, organizations in general—should be working to achieve. Digital Transformation means: handling all the data types being found and created in the organizat...
Public Cloud IaaS started its life in the developer and startup communities and has grown rapidly to a $20B+ industry, but it still pales in comparison to how much is spent worldwide on IT: $3.6 trillion. In fact, there are 8.6 million data centers worldwide, the reality is many small and medium sized business have server closets and colocation footprints filled with servers and storage gear. While on-premise environment virtualization may have peaked at 75%, the Public Cloud has lagged in adop...
SYS-CON Events announced today that HPM Networks will exhibit at the 17th International Cloud Expo®, which will take place on November 3–5, 2015, at the Santa Clara Convention Center in Santa Clara, CA. For 20 years, HPM Networks has been integrating technology solutions that solve complex business challenges. HPM Networks has designed solutions for both SMB and enterprise customers throughout the San Francisco Bay Area.
The time is ripe for high speed resilient software defined storage solutions with unlimited scalability. ISS has been working with the leading open source projects and developed a commercial high performance solution that is able to grow forever without performance limitations. In his session at Cloud Expo, Alex Gorbachev, President of Intelligent Systems Services Inc., shared foundation principles of Ceph architecture, as well as the design to deliver this storage to traditional SAN storage co...
The Software Defined Data Center (SDDC), which enables organizations to seamlessly run in a hybrid cloud model (public + private cloud), is here to stay. IDC estimates that the software-defined networking market will be valued at $3.7 billion by 2016. Security is a key component and benefit of the SDDC, and offers an opportunity to build security 'from the ground up' and weave it into the environment from day one. In his session at 16th Cloud Expo, Reuven Harrison, CTO and Co-Founder of Tufin,...
MuleSoft has announced the findings of its 2015 Connectivity Benchmark Report on the adoption and business impact of APIs. The findings suggest traditional businesses are quickly evolving into "composable enterprises" built out of hundreds of connected software services, applications and devices. Most are embracing the Internet of Things (IoT) and microservices technologies like Docker. A majority are integrating wearables, like smart watches, and more than half plan to generate revenue with ...
The Cloud industry has moved from being more than just being able to provide infrastructure and management services on the Cloud. Enter a new era of Cloud computing where monetization’s services through the Cloud are an essential piece of strategy to feed your organizations bottom-line, your revenue and Profitability. In their session at 16th Cloud Expo, Ermanno Bonifazi, CEO & Founder of Solgenia, and Ian Khan, Global Strategic Positioning & Brand Manager at Solgenia, discussed how to easily o...
The Internet of Everything (IoE) brings together people, process, data and things to make networked connections more relevant and valuable than ever before – transforming information into knowledge and knowledge into wisdom. IoE creates new capabilities, richer experiences, and unprecedented opportunities to improve business and government operations, decision making and mission support capabilities.
In their session at 17th Cloud Expo, Hal Schwartz, CEO of Secure Infrastructure & Services (SIAS), and Chuck Paolillo, CTO of Secure Infrastructure & Services (SIAS), provide a study of cloud adoption trends and the power and flexibility of IBM Power and Pureflex cloud solutions. In his role as CEO of Secure Infrastructure & Services (SIAS), Hal Schwartz provides leadership and direction for the company.