Press Release

Onapsis Helps SAP Customers Identify and Fix Widespread Critical Security Configuration Risk

Business-critical application security thought leaders bring awareness to the silent threat of insecure configurations

BOSTON, MA – April 26, 2018 – Onapsis, the global experts in SAP and Oracle application cybersecurity and compliance, today revealed a critical security configuration vulnerability that results from default installations in SAP systems which, if left insecure, could lead to a full system compromise in unprotected environments. If exploited, the impact could allow full control of the system by hackers, putting business-critical ERP, HR, PII, Finance, and Supply Chain data and processes at risk.

The vulnerability, mainly driven by a security configuration originally documented by SAP in 2005, is still present in the majority of SAP implementations either from neglecting to apply security configurations or due to unintentional configuration drifts of previously secured systems. Onapsis has spent the past six months reaching out to SAP customers to alert them and help ensure they are addressing the risk in their landscapes. After analyzing hundreds of real SAP customer implementations, Onapsis found that 9 out of 10 SAP systems were vulnerable before the Onapsis Business Risk Assessment or Onapsis Security Platform implementation.

The vulnerability is found in SAP Netweaver and can be compromised by a remote unauthenticated attacker having only network access to the system. Attackers can obtain unrestricted access to SAP systems, enabling them to compromise the platform along with all of its information, modify or extract this information or shut the system down. SAP Netweaver is the foundation of all SAP deployments and as such the vulnerability affects all versions of SAP Netweaver, representing 378,000 customers worldwide and 87% of the Global 2000. This risk still exists within the default security settings on every Netweaver-based SAP product, including the latest versions such as cloud and the next generation digital business suite S/4HANA.

“While much attention this year will go to new vulnerabilities, such as IoT, Meltdown and Spectre, there is a more silent threat lurking behind the scenes that may be as serious and certainly as broad. Many SAP landscapes are so interconnected and complex that taking a system offline to implement a secure configuration can be very disruptive to the organization. That being said, it is critical that organizations ensure that they make the time to implement the configuration. These upgrades must be planned out and timed to have the lowest impact on the organization,” said JP Perez-Etchegoyen, CTO at Onapsis.

“Additionally, once the configuration is secured, it is almost impossible to ensure that separate teams do not reset the configuration to an insecure setting due to adding, migrating or upgrading a system,” continued Perez-Etchegoyen.

The Onapsis Research Labs has written an extensive threat report to enable SAP customers to understand the risk and business impact of leaving this configuration insecure. The report also outlines methods that an organization can take to configure this system and ensure that it remains secure.

Download the threat report on the Onapsis website.

The Onapsis Research Labs will also present these finding and key next steps during a webcast on May 8th at 2:00pm ET.

About Onapsis

Onapsis cybersecurity solutions automate the monitoring and protection of your SAP and Oracle ERP and business-critical applications, keeping them compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’s solutions are also the de-facto standard for leading consulting and audit firms such as Deloitte, IBM, Infosys and PwC.

Onapsis solutions include the Onapsis Security Platform™, which is the most widely-used SAP-certified cybersecurity solution on the market. Unlike generic security products, Onapsis’s context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.

These solutions are powered by the Onapsis Research Labs, who continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts at the Onapsis Research Labs were the first to lecture on SAP cyberattacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms. This patented technology is well known, industry wide, and has gained Onapsis recognition on the Deloitte Technology Fast-500, as a Red Herring North America Top 100 company and a SINET 16 Innovator.

For more information, please visit, or connect with us onTwitter,Google+, orLinkedIn.
Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.