SAP pushed out patches to address seven vulnerabilities in three different lines of software it produces. If exploited, the bugs – which weren’t disclosed until yesterday – could expose those running the systems to specialized attacks, information disclosure and in some cases, complete compromise.
The bugs, all of which are remotely exploitable, affect the German software company’s database management system HANA, its enterprise software BusinessObjects and analytics software NetWeaver Business Warehouse.
Companies mostly use the software to keep track of all things enterprise: sales, finances, human resources, and so on. Officials with Onapsis Research Labs who discovered the vulnerabilities, warn the bugs could expose gobs of information, customer data, product pricing, financial statements, employee information and more.
One of the two most serious vulnerabilities could enable code execution, allowing an attacker to completely compromise the HANA system and any information processed or stored there. The other could make it so an attacker could execute a distributed denial of service (DDoS) attack against BusinessObjects, something that ultimately could shut it down entirely. Both are marked high risk.
Multiple cross-site scripting vulnerabilities in both HANA and BusinessObjects were also found that could have enabled an attacker to impersonate a legitimate user and attack others on the system.
The least pressing bug among the batch is a vulnerability in Business Warehouse that could have let an authenticated attacker to disclose technical information without having the right permissions. The researchers found that a function in the software failed to perform an authorization check before retrieving the information.
The bug that took the longest to fix was an information disclosure issue in BusinessObjects that could have let an attacker glean user information and in turn, use it to craft specialized attacks against the victim’s system. The vulnerability – wherein an attacker could have sent a web services request to try to authenticate the user – was dug up in August 2013. Before it was fixed an attacker could time the replies from the remote server to identify existent and non-existent users.
Most of the bugs were discovered back in January by Will Vandevanter and Nahuel D. Sanchez, two researchers at Onapsis, a Cambridge, Mass.-based firm. According to information posted Wednesday on its Security Advisories page, most of the bugs were patched in June but details regarding them weren’t made public until now.
If users haven’t done so already, both SAP and Onapsis are urging users to patch the affected software ASAP to avoid what it’s calling ‘business risks.’
“I would urge all SAP HANA and SAP BusinessObjects users to check our advisories and the remedial steps we share to protect their company’s most important data,” Ezequiel Gutesman, Onapsis’ Director of Research, said Wednesday.
The company is primarily responsible for digging up vulnerabilities in SAP and applications that run on the SAP framework. According to its disclosure records, year-to-date. its discovered more than 30 of bugs in more than a dozen of its products.