Boston, MA – October 8, 2014 – Onapsis, the global experts in business-critical application security, today released seven new security advisories detailing vulnerabilities in SAP HANA, SAP BusinessObjects and SAP NetWeaver Business Warehouse enterprise software.
Included in the security advisories is a ‘high risk’ alert cautioning SAP HANA users against a command injection vulnerability that allows unauthorized hackers to access and compromise SAP systems. Organizations use SAP to track and manage, in real-time, sales, production, finance, controlling, accounting and human resources in an enterprise. Depending on an organization’s use of SAP, this ‘high risk’ could expose things like customer data, product pricing, financial statements, employee information, supply chains, business intelligence, budgeting, planning and forecasting.
The advisories are released by the Onapsis Research Labs, a team of security experts who combine in-depth knowledge and experience to deliver technical analysis with business-context, and provide sound security judgment to the market. The team has released over 100 advisories to date, consulted on impact with over 120 Onapsis customers and has presented at leading security and SAP conferences around the world.
Each advisory details the business-context relevance of an identified vulnerability, including impact on business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes. They are publicly available at http://www.onapsis.com/research/advisories.
Three ‘medium risk’ advisories released include vulnerabilities in SAP BusinessObjects:
- A 'high risk' Denial of Service (DoS) vulnerability in BusinessObjects via the CORBA standard that if exploited would give a remote unauthenticated attacker the ability to completely shut down the SAP BusinessObjects application
- An information disclosure-related vulnerability around web-services and SecEnterprise authentication that could allow remote attackers to identify existent and non-existent users
- A persistent cross-site scripting weakness relating to BusinessObjects’ ‘Send to Inbox’ functionality that could allow unauthorized modification of displayed content and to obtain authentication information from users
Another cross-scripting vulnerability, also ranked medium risk, was released for SAP HANA, detailing specific pages that contain vulnerabilities.
Two ‘low level’ risk advisories were also published:
- An information disclosure vulnerability for SAP BusinessObjects which by making repeated InfoStore queries via CORBA could work around enforced authorization.
- A missing authorization check for SAP NetWeaver Business Warehouse that could be exploited by authenticated attackers.
Ezequiel Gutesman, Director of Research, Onapsis Research Labs said: “Our research is shared with vendors and partners, such as SAP, and trusted by users. We are experts in business application security and I would urge all SAP HANA and SAP BusinessObjects users to check our advisories and the remedial steps we share to protect their company’s most important data.”
Onapsis Research Labs is complemented by the company’s technology which enables organizations to continuously monitor for security vulnerabilities and compliance gaps affecting SAP and Oracle’s ERP, HCM, CRM, BI and SCM applications.
Mariano Nunez, CEO of Onapsis said: “Our mission is to transform how organizations protect business-critical applications running on SAP platforms that manage their business-critical processes and information. Our differentiator is how we bring together security technology, expertise and analytics to uncover and prioritize the resolution of security gaps and have delivered great value to over 130 customers around the world.”
xxx
About Onapsis
Onapsis gives organizations the adaptive advantage to succeed in securing business-critical applications by combining technology, research and analytics. Onapsis enables every security and compliance team an adaptive approach to focus on the factors that matter most to the business–critical applications that house their vital data and run business processes including SAP Business Suite, SAP HANA and SAP Mobile applications. Onapsis provides technology solutions including Onapsis X1, the de-facto SAP security auditing tool, and the Onapsis Security Platform, which delivers enterprise vulnerability, compliance, attack detection and response capabilities for SAP applications.
The Onapsis Research Labs provide subject matter expertise that combines in-depth knowledge and experience to deliver technical and business-context with sound security judgment. This enables organizations to efficiently uncover security and compliance gaps and prioritize the resolution within applications running on SAP systems. Onapsis delivers tangible business results including decreased business risk, highlighted compliance gaps, lower operational security costs and demonstrable value on investment.