Skip to main content
close search
site logo

SAP Patches Critical Flaw in Business Software

Published March 14, 2017
By Matthew Heller

European software giant SAP said Tuesday it had patched multiple vulnerabilities in its cloud-based enterprise platform HANA that could have allowed hackers to fully compromise databases and business applications without a valid username or password.

HANA runs SAP’s latest database, cloud and other more traditional business apps. According to Onapsis, the security company that uncovered the “zero day” vulnerabilities, they rank among the most critical ever found in the software.

“We have identified multiple vulnerabilities that could be leveraged by attackers to perform two critical attacks in SAP Hana, depending on the active services,” Onapsis said in a threat report. “These attacks consist of a full system compromise without any type of previous authentication.”

SAP claims 87% of the top 2,000 global companies as customers. According to Reuters, vulnerabilities in big business software are more lucrative to attackers than those affecting consumer applications as programs like Hana “store data and run transactions which are the lifeblood of businesses.”

Onapsis reported 10 Hana vulnerabilities to SAP less than 60 days ago, which the German software maker fixed in near-record time, Reuters said. The patch issued on Tuesday was rated by SAP as 9.8 on a scale of 10, “very high” in terms of relative risk to its customers.

According to Threat Post, Hana “has been increasingly targeted by hackers over the last year.” The bugs uncovered by Onapsis affect User Self Service, or USS, a component that allows users to carry out tasks such as account creation or password recovery.

“While the service comes disabled by default, some users activate it in order to allow external users access to internal capabilities — something that exposes the component to the internet,” Threat Post noted.

Sebastian Bortnik, Onapsis head of research, said the vulnerability “would allow an attacker to perform any action over the business information and processes supported by Hana, including creating, stealing, altering, and/or deleting sensitive information.”

Even if USS is not enabled, he said, “we still recommend that [businesses] apply the patches in case a change is made to the system in the future.”

Filed Under: Technology

Editors' pick

  • Calendar
    Image attribution tooltip
    Misha Shutkevych via Getty Images
    Image attribution tooltip
    Tracker

    CFO Annual Conferences and Events Tracker

    CFO’s annual conference and events calendar tracker ensures finance executives know about the most essential in-person events.

    By CFO Editorial Team • Updated Nov. 20, 2023

Company Announcements

View all | Post a press release
Wealth Inequality the Result of Pure Randomness, Tufts University Study Suggests
From Society for Industrial and Applied Mathematics
November 21, 2023

Want to share a company announcement with your peers?

Get started

Read next
  • Calendar
    Image attribution tooltip
    Misha Shutkevych via Getty Images
    Image attribution tooltip
    Tracker

    CFO Annual Conferences and Events Tracker

    CFO’s annual conference and events calendar tracker ensures finance executives know about the most essential in-person events.

    By CFO Editorial Team • Updated Nov. 20, 2023
Latest in Technology
image/svg+xml
Industry Dive is an Informa business
© 2023 Industry Dive. All rights reserved. | View our other publications | Privacy policy | Terms of use | Take down policy.
Cookie Preferences / Do Not Sell