• Skip to primary navigation
  • Skip to main content
  • Skip to footer
  • Home
  • Advertise With Us
  • Contact
  • Cookie Policy
    • Privacy statement (CA)
    • Cookie policy (CA)
    • Privacy statement (UK)
    • Cookie policy (UK)
    • Privacy statement (US)
    • Cookie Policy (US)
    • Privacy statement (EU)
    • Cookie policy (EU)
    • Disclaimer

TechWalls

Technology News | Gadget Reviews | Tutorials

  • Reviews
  • Tech News
  • Tech Guide
  • Gadget & Apps

Dozens of global companies at risk from a SAP business application flaw

Updated on May 12, 2016 by Guest Authors

Security researchers at Onapsis have found an old vulnerability in SAP business applications that date back to as early as 2013, highlighting a serious risk facing dozens of businesses worldwide.

In a parallel announcement, the U.S. Department of Homeland Security alerted enterprises based in the United States, United Kingdom, India, Japan, Germany, China and South Korea to the high-risk SAP flaw that affect SAP Java apps and critical business processes run by many organizations and companies.

sap

The vulnerability, according to Onapsis, could expose critical business information and processes of affected enterprises to attackers, enabling them to take full control of those assets even with no authentication to access the vast treasure trove of data. Affected also are some non-SAP systems.

Onapsis pointed a bug in the J2EE specification called Invoker Servlet, which is used by developers to run a test on Java applications. Developers are able to extract the servlets via the Internet even without having authorization, meaning that just anyone can call the servlets anytime. With full access to this functionality, attackers can then manipulate and exploit critical systems of various industries as long as they know the servlet’s URL. Which is why it has alarmed the Homeland Security, especially that attackers can also create accounts and control operating systems.

Although SAP already allowed users to disable the Invoker Servlet in its applications by default, attackers were still able to access Invoker Servlet and carry out random commands in SAP systems after they transmitted forged packets to insecure SAP systems via HTTP or HTTPS to circumvent authentication controls.

How serious could it get? For one, an attacker can escalate privileges to execute arbitrary commands on operating systems and use any web browser to create administration user accounts in SAP systems even without an authentic SAP user ID and password. SAP appears to be downplaying the flaw, however, as its recent patch note indicate otherwise.

Security experts now warn that custom Java applications must be reviewed and any irregular behavior in those apps monitored even if users are now able to disable Invoker Servlet. That is so because custom SAP Java applications can be used to override the setting, according to experts.

Also, security experts recommend that administrators of SAP systems keep an eye on critical system patches from now on as SAP regularly releases patches every month. They lament that the incident highlighted how SAP’s security teams have a narrow visibility into the vulnerabilities lingering in SAP systems.

Disclosure: We might earn commission from qualifying purchases. The commission help keep the rest of my content free, so thank you!

Reader Interactions

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Footer

FLIR ONE Pro Review – A Must-Have Thermal Camera for Homeowners

New iDPRT Printers – SP450, SP420, and Zeva 1966 Photo Printer Reviewed

Carepod One MS031S2 Cool Mist Humidifier Review – The Sleek and Effective Solution for Dry Air

Master & Dynamic MW75 Wireless Headphones Review – Get Lost in the Music

Follow TechWalls

YoutubeFacebookTwitterInstagram

Recent Posts

  • Best Oral-B Alternative: Bitvae R2 Electric Toothbrush Review
  • Prevent Tooth Decay & Gum Disease with Bitvae C2 Water Dental Flosser
  • MRCOOL DIY 4-Zone Ductless Mini-Split Heat Pump – The Total Cost and Installation Time
  • List of Phones with Snapdragon 8 Gen 2 Processor

Copyright © 2023 · All Rights Reserved

Manage Cookie Consent
We use technologies like cookies to store and/or access device information. We do this to improve browsing experience and to show personalized ads. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional cookies Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Manage options Manage services Manage vendors Read more about these purposes
View preferences
{title} {title} {title}