Onapsis Uncovers Five New Vulnerabilities Affecting SAP BusinessObjects and SAP HANA

High-Profile Cyber-Risks Reveal Unauthorized Users Could Retrieve and Overwrite Data Stored on Business-Critical Systems


BOSTON, MA--(Marketwired - February 25, 2015) - Onapsis, the global experts in business-critical application security, today released five new security advisories detailing vulnerabilities in SAP BusinessObjects and SAP HANA enterprise software. Included in the security advisories are three "high risk" vulnerabilities, one of which allows unauthenticated users to overwrite business data, and two "medium risk" vulnerabilities.

Organizations use SAP BusinessObjects to track, analyze and report on business performance, while SAP HANA, at the heart of SAP's cloud offerings, is the next-generation database and application platform. SAP HANA includes capabilities to transform transactions, analytics, text analysis, predictive and spatial processing so businesses can operate in real-time. Depending on an organization's use of these platforms, 'high risk' vulnerabilities could be used by cyber attackers to gain access to mission-critical information including customer data, product pricing, financial statements, employee information, supply chains, business intelligence, budgeting, planning and forecasting.

Three 'high risk' advisories released detail vulnerabilities found in SAP BusinessObjects through default CORBA connector:

- Unauthorized Audit Information Delete

  • Allows a remote unauthenticated attacker to access and delete auditing information of the remote system and to perform malicious activities without being detected.

- Unauthorized File Repository Server Write

  • Allows a remote unauthenticated attacker to access and overwrite sensitive business data stored on the remote system.

- Unauthorized File Repository Server Read

  • Allows a remote unauthenticated attacker to retrieve sensitive business data stored on the remote system.

Two 'medium risk' advisories released detail vulnerabilities in SAP BusinessObjects and SAP HANA:

- Multiple Reflected Cross-site Scripting Vulnerabilities in SAP HANA Web-based Development Workbench

  • Allows a remote unauthenticated attacker access and attack other users of SAP HANA

- SAP Business Objects Unauthorized Audit Information Access via CORBA

  • Allows a remote unauthenticated attacker to access and read auditing information thus accessing sensitive business data. Access to this functionality should be restricted.

"Taking steps to patch these vulnerabilities, or to implement control measures is critical to protecting your SAP systems. Recent headlines alone have shown us the consequences of not having proper security measures in place, especially when you're dealing with systems that are housing data and processing transactions vital to the ongoing success of your business," said Ezequiel Gutesman, Director of Research, at Onapsis. 

The advisories are released by the Onapsis Research Labs, a team of security experts who combine in-depth knowledge and experience to deliver technical analysis with business-context, and provide sound security judgment to the market. The team has released over 140 advisories to date, consulted on impact with over 160 Onapsis enterprise customers and regularly presents at leading security and SAP conferences around the world.

Each advisory details the business-context relevance of an identified vulnerability, including impact on business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.

They are publicly available at: http://www.onapsis.com/research/advisories.

About Onapsis
Onapsis gives organizations the adaptive advantage to succeed in securing business-critical applications by combining technology, research and analytics. Onapsis enables every security and compliance team an adaptive approach to focus on the factors that matter most to their business-critical applications that house vital data and run business processes including SAP Business Suite, SAP HANA and SAP Mobile deployments.

Onapsis provides technology solutions including Onapsis X1, the de-facto SAP security auditing tool, and Onapsis Security Platform which delivers enterprise vulnerability, compliance, detection and response capabilities with analytics.

The Onapsis Research Labs provide subject matter expertise that combines in-depth knowledge and experience to deliver technical and business-context with sound security judgment. This enables organizations to efficiently uncover security and compliance gaps and prioritize the resolution within applications running on SAP platforms.

Onapsis delivers tangible business results including decreased business risk, highlighted compliance gaps, lower operational security costs and demonstrable value on investment.

Twitter: @onapsis
LinkedIn: linkedin.com/company/onapsis

Contact Information:

Media contacts:
Leslie Kesselring
Kesselring Communications
503-358-1012
leslie@kesscomm.com

Tamarie Ellis
Kesselring Communications
503-746-8107
tamarie@kesscomm.com