Organizations use SAP BusinessObjects to track, analyze and report on business performance, while SAP BASIS is comprised of the administrative functionalities and processes which run SAP systems including the database, supporting architecture, and the user interface.
Included in the security advisories is a ‘critical risk’ alert cautioning SAP BusinessObjects users against a vulnerability that could be used by unauthenticated attackers to access and modify information stored on the SAP BusinessObjects server. This ‘critical risk’ vulnerability could potentially expose and compromise an organization’s ability to perform business intelligence queries such as performance management, product planning, and reporting structure. Furthermore, business intelligence reports could be manipulated by malicious attackers, altering decision-making information used by senior executives.
Another vulnerability is a ‘high risk’ alert impacting authorization checks for SAP BASIS. If exploited, this vulnerability could allow an authenticated attacker access to background processing which automates routine tasks and helps to optimize the organizations computing resources. If this process is tampered with, the attacker would be able to compromise the SAP system’s ability to properly run business-critical reports and programs.
Ezequiel Gutesman, Director of Research, Onapsis Research Labs said: “Advanced threats targeting SAP systems that run business-critical applications are increasing at an alarming rate. These security advisories are the latest example of how key systems are vulnerable to attack and have to be a main focus of an organization’s security strategy. Additionally, it is now an executive imperative to understand the risks associated with SAP security posture and potential business impact.”
The advisories are released by the Onapsis Research Labs, a team of security experts who combine in-depth knowledge and experience to deliver technical analysis with business-context, and provide sound security judgment to the market. The team has released over 110 advisories to date, consulted on impact with over 160 Onapsis enterprise customers and presents at leading security and SAP conferences around the world.
Each advisory details the business-context relevance of an identified vulnerability, including impact on business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.
The Onapsis Security Advisories are publicly available at: http://www.onapsis.com/research/advisories.
Ezequiel Gutesman, Director of Research, and Juan Perez-Etchegoyen, CTO of Onapsis, will be hosting an exclusive analysis of 2014 SAP security vulnerabilities on December 18th, 2014 at 1:00 P.M. EST. To register, please click here.
About Onapsis
Onapsis gives organizations the adaptive advantage to succeed in securing business-critical applications by combining technology, research and analytics. Onapsis enables every security and compliance team an adaptive approach to focus on the factors that matter most to their business– critical applications that house vital data and run business processes including SAP Business Suite, SAP HANA and SAP Mobile deployments.
Onapsis provides technology solutions including Onapsis X1, the de-facto SAP security auditing tool, and Onapsis Business-Critical Application Security Platform which delivers enterprise vulnerability, compliance, detection and response capabilities with analytics.
The Onapsis Research Labs provide subject matter expertise that combines in-depth knowledge and experience to deliver technical and business-context with sound security judgment. This enables organizations to efficiently uncover security and compliance gaps and prioritize the resolution within applications running on SAP platforms.
Onapsis delivers tangible business results including decreased business risk, highlighted compliance gaps, lower operational security costs and demonstrable value on investment.
Twitter: @onapsis
LinkedIn: linkedin.com/company/onapsis