Welcome!

Recurring Revenue Authors: Yeshim Deniz, Elizabeth White, Xenia von Wedel, Liz McMillan, Carmen Gonzalez

News Feed Item

Onapsis Research Labs Releases Six New Critical Security Advisories for Companies Using SAP

Latest Threats Target Key Administration Capabilities for SAP HANA and Allow Remote Attackers to Access Restricted Functionality to Gain Access to Any Organization's Secure Information

CAMBRIDGE, MA--(Marketwired - July 30, 2014) - Onapsis, Inc., a leading provider of solutions and research to audit and mitigate advanced threats targeting business-critical applications including Enterprise Resource Planning (ERP), Supply Chain Management (SCM), Finance and Accounting, Human Capital Management and Business Intelligence (BI), has released six new security advisories for SAP users. With more than 250,000 SAP installations in 188 countries, numerous organizations across the world could be impacted by the highlighted vulnerabilities.

The security advisories come from Onapsis Research Labs which continuously investigates, detects and reports exploitable vulnerabilities. The advisories enable vendors to prioritize patches and updates, while Onapsis customer and partner communities benefit from real-time analysis. Onapsis security advisories, together with vendor patches and security notes, are available for download to provide vendors and end-users with the information to mitigate advanced threats.

Onapsis Research Labs experts will be at Black Hat USA 2014 in Las Vegas from August 2-7 (booth #1131) to brief front-line security practitioners on the latest SAP advisories and discuss best practices for mitigating advanced threats. Onapsis customers will gain deep insight into the advisories from the Onapsis Security Research team during the company's exclusive annual customer advisory council on August 4 at the MGM Grand.

"We advise all SAP users to review our advisories and ensure that their systems are protected from the latest threats," said Juan Perez-Etchegoyen, CTO of Onapsis. "Ignored vulnerabilities may compromise SAP systems, but as experts in business critical application security we work to secure and protect systems while continuously monitoring for future vulnerabilities. Our customers receive instant access to fixes and have an advantage over other organizations that fail to protect their 'Crown Jewels'."

The following advisories have been released by experts at Onapsis Research Labs to alert vendors and user communities of the cyber-security risks affecting their business critical systems. Administrators, owners and users can sign up for alerts by clicking here.

  1. Multiple cross-site scripting vulnerabilities in SAP HANA XS Administration Tool
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 4.3 (AV:N/AC:M/AU:N/C:N/I:P/A:N)
  • Affected components: SAP HANA XS Administration Tool, a web application used to administer and maintain the HANA XS Engine
  • Details: Functions within SAP HANA XS Administration Tool do not sufficiently encode or filter output parameters, resulting in a reflected cross-site scripting vulnerability. A reflected cross-site scripting attack can be used to temporarily deface or modify displayed content for targeted users of the website
  • Solution: SAP has released SAP Note 1993349 to provide patched versions of the affected components
  1. SAP HANA IU5 SDK authentication bypass
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 5.0 (AV:N/AC:L/AU:N/C:P/I:N/A:N)
  • Affected components: SAP HANA Extended Application Services
  • Details: SAP HANA Extend Application Services (XL) based applications can be set to have 'public' access (i.e. no authentication required). Despite this configuration changing to 'non-public' in the SAP HANA IU5 SDK Application, no authentication is needed to access these applications, which still allow public access
  • Solution: SAP has released SAP Note 1964428 to provide patched versions of the affected components
  1. SAP HANA XS missing encryption in form-based authentication
  • Onapsis risk level assessment: Low (one out of four)
  • Initial Base CVSS v2: 2.9 (AV:A/AC:M/AU:N/C:P/I:N/A:N)
  • Affected components: SAP HANA Extended Application Services. SAP HANA does not enforce any encryption in form-based authentication, enabling anonymous users to get information such as valid credentials from captured network traffic and gain access to the system
  • Details: SAP HANA Extend Application Services (XS) based applications can be set to 'form based authentication' access using SSL. When this configuration is set, the authentication mechanism does not properly enforce the required level of encryption
  • Solution: SAP has released SAP Note 1963932 to provide patched versions of the affected components
  1. HTTP verb tampering issue in SAP_JTECHS
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 5 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
  • Affected components: SAP Solution Manager 7.1
  • Details: License Measurement Servlet is prone to verb tampering attacks, allowing remote unauthenticated attackers to access restricted functionality. Technical details of this issue are still pending with the purpose of providing time for affected customers to apply the SAP Security Note.
  • Solution: SAP has released SAP Note 1778940 to provide patched versions of the affected components
  1. Hard-coded user name in SAP FI Manager Self-Service
  • Onapsis risk level assessment: Medium (two out of four)
  • Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P)
  • Affected components: SAP FI Manager allows management employees to perform their tasks and decision processes using different services and applications from a central location
  • Details: The program contains a hard-coded user name that changes the system's behavior if a user is successfully authenticated. This user may gain access to additional information that should not be displayed
  • Solution: SAP has released SAP Note 1929473 to provide patched versions of the affected components. Download: https://service.sap.com/sap/support/notes/1920323
  1. Missing authorization check in function modules of BW-SYS-DB-DB4
  • Onapsis risk level assessment: Low (one out of four)
  • Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N)
  • Affected components: SAP Netweaver Business Warehouse component
  • Details: A remote authenticated attacker could execute the vulnerable RFC functions in function group BW-SYS-DB-DB4. These do not check for authorizations and would allow the attacker to obtain sensitive information regarding the target application server
  • Solution: SAP has released SAP Note 1974016 to provide patched versions of the affected components

    About Onapsis
    Onapsis Inc. is the leading provider of cyber security solutions to audit and protect business-critical applications including Enterprise Resource Planning (ERP), Supply Chain Management (SCM) and Business Intelligence (BI). Onapsis solutions empower information security and audit professionals to understand and efficiently mitigate the cyber security risks affecting their SAP, Oracle and other business-critical applications, preventing espionage, sabotage and financial fraud attacks while streamlining compliance with internal and regulatory requirements.

    As the industry standard, trusted by the leading audit firms and deployed by Global 1000 and military organizations, Onapsis X1 is the most widely-used solution to detect cyber security risks and compliance violations affecting SAP business platforms. Unmatched by generic security monitoring products, Onapsis X1's unique SAP-certified capabilities integrate seamlessly into existing GRC and Risk Management practices, providing unprecedented visibility to protect critical business processes. At the heart of the company, the Onapsis Research Labs consists of the thought-leaders that continue to redefine the ERP security industry.

    For more information please visit www.onapsis.com and follow us on Twitter: @onapsis

    Media Contacts

    Jackie Fraser
    Hazel Butters
    Prompt PR on behalf of Onapsis
    Tel: 1-857-277-5139
    Email: [email protected]

More Stories By Marketwired .

Copyright © 2009 Marketwired. All rights reserved. All the news releases provided by Marketwired are copyrighted. Any forms of copying other than an individual user's personal reference without express written permission is prohibited. Further distribution of these materials is strictly forbidden, including but not limited to, posting, emailing, faxing, archiving in a public database, redistributing via a computer network or in a printed form.

IoT & Smart Cities Stories
The best way to leverage your Cloud Expo presence as a sponsor and exhibitor is to plan your news announcements around our events. The press covering Cloud Expo and @ThingsExpo will have access to these releases and will amplify your news announcements. More than two dozen Cloud companies either set deals at our shows or have announced their mergers and acquisitions at Cloud Expo. Product announcements during our show provide your company with the most reach through our targeted audiences.
CloudEXPO New York 2018, colocated with DXWorldEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.
Andrew Keys is Co-Founder of ConsenSys Enterprise. He comes to ConsenSys Enterprise with capital markets, technology and entrepreneurial experience. Previously, he worked for UBS investment bank in equities analysis. Later, he was responsible for the creation and distribution of life settlement products to hedge funds and investment banks. After, he co-founded a revenue cycle management company where he learned about Bitcoin and eventually Ethereal. Andrew's role at ConsenSys Enterprise is a mul...
Disruption, Innovation, Artificial Intelligence and Machine Learning, Leadership and Management hear these words all day every day... lofty goals but how do we make it real? Add to that, that simply put, people don't like change. But what if we could implement and utilize these enterprise tools in a fast and "Non-Disruptive" way, enabling us to glean insights about our business, identify and reduce exposure, risk and liability, and secure business continuity?
DXWorldEXPO | CloudEXPO are the world's most influential, independent events where Cloud Computing was coined and where technology buyers and vendors meet to experience and discuss the big picture of Digital Transformation and all of the strategies, tactics, and tools they need to realize their goals. Sponsors of DXWorldEXPO | CloudEXPO benefit from unmatched branding, profile building and lead generation opportunities.
DXWorldEXPO LLC announced today that Telecom Reseller has been named "Media Sponsor" of CloudEXPO | DXWorldEXPO 2018 New York, which will take place on November 11-13, 2018 in New York City, NY. Telecom Reseller reports on Unified Communications, UCaaS, BPaaS for enterprise and SMBs. They report extensively on both customer premises based solutions such as IP-PBX as well as cloud based and hosted platforms.
Digital Transformation: Preparing Cloud & IoT Security for the Age of Artificial Intelligence. As automation and artificial intelligence (AI) power solution development and delivery, many businesses need to build backend cloud capabilities. Well-poised organizations, marketing smart devices with AI and BlockChain capabilities prepare to refine compliance and regulatory capabilities in 2018. Volumes of health, financial, technical and privacy data, along with tightening compliance requirements by...
The deluge of IoT sensor data collected from connected devices and the powerful AI required to make that data actionable are giving rise to a hybrid ecosystem in which cloud, on-prem and edge processes become interweaved. Attendees will learn how emerging composable infrastructure solutions deliver the adaptive architecture needed to manage this new data reality. Machine learning algorithms can better anticipate data storms and automate resources to support surges, including fully scalable GPU-c...
To Really Work for Enterprises, MultiCloud Adoption Requires Far Better and Inclusive Cloud Monitoring and Cost Management … But How? Overwhelmingly, even as enterprises have adopted cloud computing and are expanding to multi-cloud computing, IT leaders remain concerned about how to monitor, manage and control costs across hybrid and multi-cloud deployments. It’s clear that traditional IT monitoring and management approaches, designed after all for on-premises data centers, are falling short in ...
DXWordEXPO New York 2018, colocated with CloudEXPO New York 2018 will be held November 11-13, 2018, in New York City and will bring together Cloud Computing, FinTech and Blockchain, Digital Transformation, Big Data, Internet of Things, DevOps, AI, Machine Learning and WebRTC to one location.