Onapsis Identifies and Helps SAP Secure Critical Vulnerabilities in SAP HANA
Onapsis Research Labs’ research and threat intelligence protects SAP customers from severe risks affecting HANA-based products, including HANA 2, S/4 HANA and HANA-based Cloud applications
BOSTON, MA – March 14, 2017 – Onapsis, the global experts in SAP and Oracle application cybersecurity and compliance, today announced the discovery of several high-risk vulnerabilities affecting SAP HANA platforms. If exploited, these vulnerabilities would allow an attacker, whether inside or outside the organization, to take full control of the SAP HANA platform remotely, without the need of a username and password.
The next-generation in-memory cloud platform, SAP HANA simplifies database and data management. The platform’s new capabilities are optimized for innovation that helps organizations compete more effectively in the digital economy.
“This level of access would allow an attacker to perform any action over the business information and processes supported by HANA, including creating, stealing, altering, and/or deleting sensitive information. If these vulnerabilities are exploited, organizations may face severe business consequences,” said Sebastian Bortnik, Head of Research, Onapsis. The vulnerabilities affect a specific SAP HANA component named SAP HANA User Self Service, which is not enabled by default. “We hope organizations will use this threat intelligence to assess their systems and confirm that they are not currently using this component, and therefore are not affected by these risks. Even if the service is not enabled, we still recommend that these organizations apply the patches in case a change is made to the system in the future,” continued Bortnik.
Onapsis Research Labs originally discovered the vulnerabilities on the newly released SAP HANA 2 platform, but after additional analysis realized that several older versions were vulnerable as well. Based on this assessment, it was identified that the vulnerabilities had been present in HANA for almost two and a half years, when the User Self Service component was first released. This greatly increases the likelihood that these vulnerabilities have been discovered by attackers to break into organization’s SAP systems.
As the leading SAP partner for cyber security, Onapsis worked closely with SAP’s Product Security & Engineering teams to help them develop the security patches. “As always, we immediately reported the risks to SAP SE so that a patch could be developed and released to SAP customers, which they did very quickly compared to past vulnerability submissions. As our number one priority is protecting our customers, we have also provided them with advanced security updates for their Onapsis Security Platform installations, as well as with alternative risk mitigation approaches until the security patches become available,” explained Mariano Nunez, CEO and Co-Founder, Onapsis.
After another vulnerability report by Onapsis Research Labs, SAP is also releasing the first ever patch for SAP HANA 2. In this case, default installations are affected and an attacker can elevate privileges if exploited.
As part of its responsible disclosure policy, the Onapsis Research Labs will release technical details of these vulnerabilities after 90 days to provide SAP customers with time to apply and configure the SAP Security Note #2424173 “Vulnerabilities in the User Self-Service Tools of SAP HANA” and Security Note #2429069 in their organizations.
The Onapsis Research Labs have discovered more than 500 vulnerabilities in SAP and Oracle business applications, has helped SAP secure over 65% of all HANA vulnerabilities reported and has released over 150 advisories to date. Each advisory details the business-context relevance of an identified vulnerability, including impact on a business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.
Onapsis cybersecurity solutions automate the monitoring and protection of your SAP applications, keeping them compliant and safe from insider and outsider threats. As the proven market leader, global enterprises trust Onapsis to protect the essential information and processes that run their businesses.
Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.
Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.
These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the
Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms.
Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™ and Onapsis X1™ software platforms. This patented technology is recognized industry wide and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.
Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.