Protecting the “SolMan” of Your SAP Mission-Critical Applications
Vulnerability management is a tedious and thankless task. As more and more vulnerabilities are found in mission-critical applications and threats are ever-increasing, it is becoming very challenging to prioritize what must be fixed immediately.
Think about this for a minute…
Research reports have shown that it takes 15 times longer for an organization to remediate a vulnerability than it does for attackers to weaponize and exploit one. Seven days to weaponize and 102 days to patch. We saw this play out with the SAP RECON vulnerability earlier this year when in less than seven days there was publicly available exploit code.
It’s ironic that something so mundane (patch management) can also be so vital to the enterprise. Controlling the privacy and security information is the lifeblood of any company. Security experts have concluded that 57 percent of breaches are the result of poor patch management and as many as one third of all organizations have not applied patches more than a year after release. That’s remarkable.
- How much time are you spending every month on vulnerability management?
- Are you remediating the most critical vulnerabilities in a timely manner? Can you even remediate?
- Are you confident you are protecting the mission-critical applications that power your business?
From the organizations that we engage with, we know you are spending far too much time struggling to fix the most critical vulnerabilities, and just hoping your mission-critical applications are protected from both internal and external threats.
When it comes to SAP vulnerability management, one serious area of concern is SAP Solution Manager, or as it is commonly referred to, SolMan. There have been a number of highly critical vulnerabilities in 2020 alone with CVSS scores in the nines and as high as 10. The most recent SolMan vulnerabilities were addressed in the November SAP Security Notes—details can be found in our blog post here. Below is a chart with more information.
| Month | CVSS | SAP Note # | Title | CVE |
| March | 10 | 2890213 |
Missing Authentication Check in SAP SolMan (User-Experience Monitoring) | CVE-2020-6207 |
| March | 9.8 | 2845377 |
Missing Authentication Check in SAP Solution Manager (Diagnostics Agent) | CVE-2020-6198 |
| April | 8.6 | 2906994 |
Missing Authentication Check in SAP Solution Manager (Diagnostics Agent) | CVE-2020-6235 |
| May | 9.9 | 2835979 |
Code Injection vulnerability in Service Data Download | CVE-2020-6262 |
| June | 8.2 | 2931391 |
Missing XML Validation in SAP Solution Manager (Problem Context Manager) | CVE-2020-6271 |
| June | 6.5 | 2915126 |
Incomplete XML Validation in SAP Solution Manager (Trace Analysis) | CVE-2020-6260 |
| Sept | 10 | 2890213 |
Missing Authentication Check in SAP SolMan (User-Experience Monitoring) | CVE-2020-6207 |
| Oct | 10 | 2969828 |
OS Command Injection Vulnerability in CA Introscope Enterprise Manager | CVE-2020-6364 |
| Oct | 7.5 | 2971638 |
Hard-coded Credentials in CA Introscope Enterprise Manager | CVE-2020-6369 |
| Nov | 10 | 2890213 |
Missing Authentication Check in SAP Solution Manager | CVE-2020-6207 |
| Nov | 10 | 2985866 |
Missing Authentication Check in SAP Solution Manager (JAVA stack) |
CVE-2020-26821 CVE-2020-26822 CVE-2020-26823 |
| Nov | 9.1 | 2979062 |
Privilege escalation in SAP NetWeaver Application Server for Java (UDDI Server) | CVE-2020-26820 |
So what does this mean? SolMan is the hub of SAP application management. Every mission-critical SAP application, ERP, CRM, SCM, HCM, Financials, BI and more, connect to SolMan. If an attacker gains access to SolMan, the attacker can gain access to any SAP application. With access to any SAP application, an attacker can steal critical information (privacy, financial, intellectual property, etc.), disrupt business operations and impact regulatory compliance. This can result in lost revenue, reputational damage and significant fines and penalties.
So, what can you do to improve SAP vulnerability management to make it more effective and efficient? Onapsis can help. Here’s how:
Stop the Patch Madness
With The Onapsis Platform, you can automate the continual assessment of your complete SAP landscape for missing SAP Security Notes or patches. The results will either show you where patches are missing or verify that you have indeed installed. Additionally, Onapsis delivers severity rankings and business impact information to help you be more proactive and prioritize what must be remediated first. And, if you are still struggling to apply the patches quickly and reduce your risk posture, integration partners, like Optiv, IBM, Accenture and others, can help provide the services to keep you patched.
Stay Protected Even When You May Be Vulnerable
Oftentimes, patches cannot be applied quick enough as taking product systems offline is not practical for the business until there is a scheduled maintenance window. So, what happens during that time a patch is available and when it can actually be applied. Other than praying that an exploit does not happen, you can use The Onapsis Platform to apply compensating controls that will alert you to malicious activity against a specific vulnerability. These alerts will allow you to quickly react to potential threats to stop and prevent an attack from happening. Having these compensating controls in place, can buy you time until you can apply the patches without impacting the business.
Gain Intelligence to Be Ahead of Threats
Knowledge is power. The more intelligence you have about vulnerabilities and threats, the better prepared you will be to keep your mission-critical applications protected from potential attacks. The Onapsis Research Labs is leading the way when it comes to SAP threat intelligence. As an Onapsis customer and user of The Onapsis Platform, you will have access to this powerful SAP threat intelligence. For reference, this issue as well as RECON and the previous Solution Manager issues were credited to the Onapsis Research Labs. We provide you with early access to vulnerability information and capabilities in our solution to help you stay ahead of the threats and keep your mission-critical applications protected.
To get started and gain peace of mind, we are offering the Onapsis Protection Program for SAP Solution Manager. This program is an affordable combination of product and services to automate manual processes and create efficiencies to help you keep SolMan secure and eliminate the business impact of potential threats. Read more about the Onapsis Protection Program for SAP Solution Manager. And, for complete protection of your SAP mission-critical applications, learn more about The Onapsis Platform, an SAP Endorsed App and the standard for SAP security and compliance. Contact us today.
