Critical vulnerabilities affecting SAP business critical apps
Onapsis released five security advisories detailing vulnerabilities in SAP BusinessObjects and SAP HANA enterprise software. Included in the security advisories are three high risk vulnerabilities, one of which allows unauthenticated users to overwrite business data, and two medium risk vulnerabilities.
Depending on an organization’s use of these platforms, high risk vulnerabilities could be used by cyber attackers to gain access to mission-critical information including customer data, product pricing, financial statements, employee information, supply chains, business intelligence, budgeting, planning and forecasting.
Three high risk advisories released detail vulnerabilities found in SAP BusinessObjects through default CORBA connector:
- Unauthorized Audit Information Delete – Allows a remote unauthenticated attacker to access and delete auditing information of the remote system and to perform malicious activities without being detected.
- Unauthorized File Repository Server Write – Allows a remote unauthenticated attacker to access and overwrite sensitive business data stored on the remote system.
- Unauthorized File Repository Server Read – Allows a remote unauthenticated attacker to retrieve sensitive business data stored on the remote system.
Two medium risk advisories released detail vulnerabilities in SAP BusinessObjects and SAP HANA:
- Multiple Reflected Cross-site Scripting Vulnerabilities in SAP HANA Web-based Development Workbench – Allows a remote unauthenticated attacker access and attack other users of SAP HANA
- SAP Business Objects Unauthorized Audit Information Access via CORBA – Allows a remote unauthenticated attacker to access and read auditing information thus accessing sensitive business data. Access to this functionality should be restricted.
“Taking steps to patch these vulnerabilities, or to implement control measures is critical to protecting your SAP systems. Recent headlines alone have shown us the consequences of not having proper security measures in place, especially when you’re dealing with systems that are housing data and processing transactions vital to the ongoing success of your business,” said Ezequiel Gutesman, Director of Research, at Onapsis.