The Cloud

Critical Flaws Found in SAP Business Software

Security firm Onapsis warns that the "next big wave" of cyber attacks will target business apps running on SAP and Oracle.
Matthew HellerNovember 10, 2015

Security experts said they have uncovered 21 vulnerabilities in the widely used SAP HANA computing platform that hackers could use to steal information from businesses or shut down the system.

About 87% of Forbes Global 2000 companies use SAP, according to the German software provider’s website. Onapsis, which specializes in SAP and Oracle business-critical application security, said eight of the flaws it detected are ranked critical, the highest severity rating.

SAP-issued patches are already available for some of the problems, while six require configuration changes.

Drive Business Strategy and Growth

Drive Business Strategy and Growth

Learn how NetSuite Financial Management allows you to quickly and easily model what-if scenarios and generate reports.

“The next big wave of attacks is aimed at business-critical applications running on SAP and Oracle as they are the ultimate economic targets for cyber crime. They are also currently the biggest blind spot for many chief information security officers,” Onapsis CEO Mariano Nunez said in a news release.

Onapsis estimates that a breach involving SAP could cost some organizations up to $22 million per minute. In 2013, hackers gained access to U.S. Investigations Services, a background check company that handles government employee records, through SAP software.

The SAP HANA platform is a database management and analytics system for use on-premises or in the cloud. The vulnerabilities impact all SAP HANA-based applications, including SAP S/4HANA and SAP Cloud solutions running on HANA.

Without configuration changes, “unauthenticated attackers could take full control of vulnerable SAP HANA systems, including stealing, deleting, or changing business information, as well as taking the platform offline to disrupt key business processes,” Onapsis warned.

SAP was notified starting in February about many of the problems. “We strongly advise our customers to secure their SAP landscape by applying the available security patches,” an SAP spokesman said.

HANA customers include T-Mobile, Airbus, Dell, Adidas, EMC, the National Hockey League, and Marathon Oil. “It is imperative that the industry starts getting serious about SAP cybersecurity,” said Juan Perez-Etchegoyen, Onapsis’ chief technology officer.