Welcome!

News Feed Item

Onapsis Research Labs Releases Six New Critical Security Advisories for Companies Using SAP

Latest Threats Target Key Administration Capabilities for SAP HANA and Allow Remote Attackers to Access Restricted Functionality to Gain Access to Any Organization's Secure Information

CAMBRIDGE, MA--(Marketwired - July 30, 2014) - Onapsis, Inc., a leading provider of solutions and research to audit and mitigate advanced threats targeting business-critical applications including Enterprise Resource Planning (ERP), Supply Chain Management (SCM), Finance and Accounting, Human Capital Management and Business Intelligence (BI), has released six new security advisories for SAP users. With more than 250,000 SAP installations in 188 countries, numerous organizations across the world could be impacted by the highlighted vulnerabilities.

The security advisories come from Onapsis Research Labs which continuously investigates, detects and reports exploitable vulnerabilities. The advisories enable vendors to prioritize patches and updates, while Onapsis customer and partner communities benefit from real-time analysis. Onapsis security advisories, together with vendor patches and security notes, are available for download to provide vendors and end-users with the information to mitigate advanced threats.

Onapsis Research Labs experts will be at Black Hat USA 2014 in Las Vegas from August 2-7 (booth #1131) to brief front-line security practitioners on the latest SAP advisories and discuss best practices for mitigating advanced threats. Onapsis customers will gain deep insight into the advisories from the Onapsis Security Research team during the company's exclusive annual customer advisory council on August 4 at the MGM Grand.

"We advise all SAP users to review our advisories and ensure that their systems are protected from the latest threats," said Juan Perez-Etchegoyen, CTO of Onapsis. "Ignored vulnerabilities may compromise SAP systems, but as experts in business critical application security we work to secure and protect systems while continuously monitoring for future vulnerabilities. Our customers receive instant access to fixes and have an advantage over other organizations that fail to protect their 'Crown Jewels'."

The following advisories have been released by experts at Onapsis Research Labs to alert vendors and user communities of the cyber-security risks affecting their business critical systems. Administrators, owners and users can sign up for alerts by clicking here.

  1. Multiple cross-site scripting vulnerabilities in SAP HANA XS Administration Tool
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N)
  • Affected components: SAP HANA XS Administration Tool, a web application used to administer and maintain the HANA XS Engine
  • Details: Functions within SAP HANA XS Administration Tool do not sufficiently encode or filter output parameters, resulting in a reflected cross-site scripting vulnerability. A reflected cross-site scripting attack can be used to temporarily deface or modify displayed content for targeted users of the website
  • Solution: SAP has released SAP Note 1993349 to provide patched versions of the affected components
  1. SAP HANA IU5 SDK authentication bypass
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
  • Affected components: SAP HANA Extended Application Services
  • Details: SAP HANA Extend Application Services (XL) based applications can be set to have 'public' access (i.e. no authentication required). Despite this configuration changing to 'non-public' in the SAP HANA IU5 SDK Application, no authentication is needed to access these applications, which still allow public access
  • Solution: SAP has released SAP Note 1964428 to provide patched versions of the affected components
  1. SAP HANA XS missing encryption in form-based authentication
  • Onapsis risk level assessment: Low (one out of four)
  • Initial Base CVSS v2: 2.9 (AV:A/AC:M/AU:N/C:P/I:N/A:N)
  • Affected components: SAP HANA Extended Application Services. SAP HANA does not enforce any encryption in form-based authentication, enabling anonymous users to get information such as valid credentials from captured network traffic and gain access to the system
  • Details: SAP HANA Extend Application Services (XS) based applications can be set to 'form based authentication' access using SSL. When this configuration is set, the authentication mechanism does not properly enforce the required level of encryption
  • Solution: SAP has released SAP Note 1963932 to provide patched versions of the affected components
  1. HTTP verb tampering issue in SAP_JTECHS
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
  • Affected components: SAP Solution Manager 7.1
  • Details: License Measurement Servlet is prone to verb tampering attacks, allowing remote unauthenticated attackers to access restricted functionality. Technical details of this issue are still pending with the purpose of providing time for affected customers to apply the SAP Security Note.
  • Solution: SAP has released SAP Note 1778940 to provide patched versions of the affected components
  1. Hard-coded user name in SAP FI Manager Self-Service
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
  • Affected components: SAP FI Manager allows management employees to perform their tasks and decision processes using different services and applications from a central location
  • Details: The program contains a hard-coded user name that changes the system's behavior if a user is successfully authenticated. This user may gain access to additional information that should not be displayed
  • Solution: SAP has released SAP Note 1929473 to provide patched versions of the affected components. Download: https://service.sap.com/sap/support/notes/1920323
  1. Missing authorization check in function modules of BW-SYS-DB-DB4
  • Onapsis risk level assessment: Low (one out of four)
  • Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N)
  • Affected components: SAP Netweaver Business Warehouse component
  • Details: A remote authenticated attacker could execute the vulnerable RFC functions in function group BW-SYS-DB-DB4. These do not check for authorizations and would allow the attacker to obtain sensitive information regarding the target application server
  • Solution: SAP has released SAP Note 1974016 to provide patched versions of the affected components

    About Onapsis
    Onapsis Inc. is the leading provider of cyber security solutions to audit and protect business-critical applications including Enterprise Resource Planning (ERP), Supply Chain Management (SCM) and Business Intelligence (BI). Onapsis solutions empower information security and audit professionals to understand and efficiently mitigate the cyber security risks affecting their SAP, Oracle and other business-critical applications, preventing espionage, sabotage and financial fraud attacks while streamlining compliance with internal and regulatory requirements.

    As the industry standard, trusted by the leading audit firms and deployed by Global 1000 and military organizations, Onapsis X1 is the most widely-used solution to detect cyber security risks and compliance violations affecting SAP business platforms. Unmatched by generic security monitoring products, Onapsis X1's unique SAP-certified capabilities integrate seamlessly into existing GRC and Risk Management practices, providing unprecedented visibility to protect critical business processes. At the heart of the company, the Onapsis Research Labs consists of the thought-leaders that continue to redefine the ERP security industry.

    For more information please visit www.onapsis.com and follow us on Twitter: @onapsis

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.

Latest Stories
SYS-CON Events announced today that delaPlex will exhibit at SYS-CON's @ThingsExpo, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. delaPlex pioneered Software Development as a Service (SDaaS), which provides scalable resources to build, test, and deploy software. It’s a fast and more reliable way to develop a new product or expand your in-house team.
SYS-CON Events announced today that Carbonite will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Carbonite protects your entire IT footprint with the right level of protection for each workload, ensuring lower costs and dependable solutions with DoubleTake and Evault.
SYS-CON Events announced today that EARP Integration will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. EARP Integration is a passionate software house. Since its inception in 2009 the company successfully delivers smart solutions for cities and factories that start their digital transformation. EARP provides bespoke solutions like, for example, advanced enterprise portals, business intelligence systems an...
Amazon started as an online bookseller 20 years ago. Since then, it has evolved into a technology juggernaut that has disrupted multiple markets and industries and touches many aspects of our lives. It is a relentless technology and business model innovator driving disruption throughout numerous ecosystems. Amazon’s AWS revenues alone are approaching $16B a year making it one of the largest IT companies in the world. With dominant offerings in Cloud, IoT, eCommerce, Big Data, AI, Digital Assis...
In his session at 20th Cloud Expo, Brad Winett, Senior Technologist for DDN Storage, will present several current, end-user environments that are using object storage at scale for cloud deployments including private cloud and cloud providers. Details on the top considerations of features and functions for selecting object storage will be included. Brad will also touch on recent developments in tiering technologies that deliver single solution and an end-user view of data across files and objects...
Detecting internal user threats in the Big Data eco-system is challenging and cumbersome. Many organizations monitor internal usage of the Big Data eco-system using a set of alerts. This is not a scalable process given the increase in the number of alerts with the accelerating growth in data volume and user base. Organizations are increasingly leveraging machine learning to monitor only those data elements that are sensitive and critical, autonomously establish monitoring policies, and to detect...
We build IoT infrastructure products - when you have to integrate different devices, different systems and cloud you have to build an application to do that but we eliminate the need to build an application. Our products can integrate any device, any system, any cloud regardless of protocol," explained Peter Jung, Chief Product Officer at Pulzze Systems, in this SYS-CON.tv interview at @ThingsExpo, held November 1-3, 2016, at the Santa Clara Convention Center in Santa Clara, CA
SYS-CON Events announced today that Outscale, a global pure play Infrastructure as a Service provider and strategic partner of Dassault Systèmes, will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Founded in 2010, Outscale simplifies infrastructure complexities and boosts the business agility of its customers. Outscale delivers a secure, reliable and industrial strength solution for its customers, which i...
Cloud applications are seeing a deluge of requests to support the exploding advanced analytics market. “Open analytics” is the emerging strategy to deliver that data through an open data access layer, in the cloud, to be directly consumed by external analytics tools and popular programming languages. An increasing number of data engineers and data scientists use a variety of platforms and advanced analytics languages such as SAS, R, Python and Java, as well as frameworks such as Hadoop and Spark...
IBM helps FinTechs and financial services companies build and monetize cognitive-enabled financial services apps quickly and at scale. Hosted on IBM Bluemix, IBM’s platform builds in customer insights, regulatory compliance analytics and security to help reduce development time and testing. In his session at 20th Cloud Expo, Tom Eck, Industry Platforms CTO at IBM Cloud, will discuss how these tools simplify the time-consuming tasks of selection, mapping and data integration, allowing developer...
SYS-CON Events announced today that Progress, a global leader in application development, has been named “Bronze Sponsor” of SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Enterprises today are rapidly adopting the cloud, while continuing to retain business-critical/sensitive data inside the firewall. This is creating two separate data silos – one inside the firewall and the other outside the firewall. Cloud ISVs oft...
SYS-CON Events announced today that Outscale will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Outscale's technology makes an automated and adaptable Cloud available to businesses, supporting them in the most complex IT projects while controlling their operational aspects. You boost your IT infrastructure's reactivity, with request responses that only take a few seconds.
One of the biggest challenges with adopting a DevOps mentality is: new applications are easily adapted to cloud-native, microservice-based, or containerized architectures - they can be built for them - but old applications need complex refactoring. On the other hand, these new technologies can require relearning or adapting new, oftentimes more complex, methodologies and tools to be ready for production. In his general session at @DevOpsSummit at 20th Cloud Expo, Chris Brown, Solutions Marketi...
DevOps at Cloud Expo – being held October 31 - November 2, 2017, at the Santa Clara Convention Center in Santa Clara, CA – announces that its Call for Papers is open. Born out of proven success in agile development, cloud computing, and process automation, DevOps is a macro trend you cannot afford to miss. From showcase success stories from early adopters and web-scale businesses, DevOps is expanding to organizations of all sizes, including the world's largest enterprises – and delivering real r...
SYS-CON Events announced today that Cloud Academy will exhibit at SYS-CON's 20th International Cloud Expo®, which will take place on June 6-8, 2017, at the Javits Center in New York City, NY. Cloud Academy is the industry’s most innovative, vendor-neutral cloud technology training platform. Cloud Academy provides continuous learning solutions for individuals and enterprise teams for Amazon Web Services, Microsoft Azure, Google Cloud Platform, and the most popular cloud computing technologies. Ge...