Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security

2/25/2015
01:00 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

Onapsis Uncovers Five New Vulnerabilities Affecting SAP BusinessObjects and SAP HANA

High-profile cyber-risks reveal unauthorized users could retrieve and overwrite data stored on business-critical systems

Boston, MA – February 25, 2015 – Onapsis, the global experts in business-critical application security, today released five new security advisories detailing vulnerabilities in SAP BusinessObjects and SAP HANA enterprise software. Included in the security advisories are three “high risk” vulnerabilities, one of which allows unauthenticated users to overwrite business data, and two “medium risk” vulnerabilities.

Organizations use SAP BusinessObjects to track, analyze and report on business performance, while SAP HANA, at the heart of SAP’s cloud offerings, is the next-generation database and application platform. SAP HANA includes capabilities to transform transactions, analytics, text analysis, predictive and spatial processing so businesses can operate in real-time. Depending on an organization’s use of these platforms,  ‘high risk’ vulnerabilities could be used by cyber attackers to gain access to mission-critical information including customer data, product pricing, financial statements, employee information, supply chains, business intelligence, budgeting, planning and forecasting.

Three ‘high risk’ advisories released detail vulnerabilities found in SAP BusinessObjects through default CORBA connector:

- Unauthorized Audit Information Delete

·      

Allows a remote unauthenticated attacker to access and delete auditing information of the remote system and to perform malicious activities without being detected.

- Unauthorized File Repository Server Write

·      

Allows a remote unauthenticated attacker to access and overwrite sensitive business data stored on the remote system.

- Unauthorized File Repository Server Read

·      

Allows a remote unauthenticated attacker to retrieve sensitive business data stored on the remote system.

 

Two ‘medium risk’ advisories released detail vulnerabilities in SAP BusinessObjects and SAP HANA:

- Multiple Reflected Cross-site Scripting Vulnerabilities in SAP HANA Web-based Development Workbench

·      

Allows a remote unauthenticated attacker access and attack other users of SAP HANA

- SAP Business Objects Unauthorized Audit Information Access via CORBA

·      

Allows a remote unauthenticated attacker to access and read auditing information thus accessing sensitive business data. Access to this functionality should be restricted.

 

 “Taking steps to patch these vulnerabilities, or to implement control measures is critical to protecting your SAP systems. Recent headlines alone have shown us the consequences of not having proper security measures in place, especially when you’re dealing with systems that are housing data and processing transactions vital to the ongoing success of your business,” said Ezequiel Gutesman, Director of Research, at Onapsis. 

The advisories are released by the Onapsis Research Labs, a team of security experts who combine in-depth knowledge and experience to deliver technical analysis with business-context, and provide sound security judgment to the market. The team has released over 140 advisories to date, consulted on impact with over 160 Onapsis enterprise customers and regularly presents at leading security and SAP conferences around the world.

Each advisory details the business-context relevance of an identified vulnerability, including impact on business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.

They are publicly available at: http://www.onapsis.com/research/advisories.

###

About Onapsis

Onapsis gives organizations the adaptive advantage to succeed in securing business-critical applications by combining technology, research and analytics. Onapsis enables every security and compliance team an adaptive approach to focus on the factors that matter most to their business– critical applications that house vital data and run business processes including SAP Business Suite, SAP HANA and SAP Mobile deployments.

Onapsis provides technology solutions including Onapsis X1, the de-facto SAP security auditing tool, and Onapsis Security Platform which delivers enterprise vulnerability, compliance, detection and response capabilities with analytics.

The Onapsis Research Labs provide subject matter expertise that combines in-depth knowledge and experience to deliver technical and business-context with sound security judgment. This enables organizations to efficiently uncover security and compliance gaps and prioritize the resolution within applications running on SAP platforms.

Onapsis delivers tangible business results including decreased business risk, highlighted compliance gaps, lower operational security costs and demonstrable value on investment.

Twitter: @onapsis

LinkedIn: linkedin.com/company/onapsis

 

 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Manchester United Suffers Cyberattack
Dark Reading Staff 11/23/2020
As 'Anywhere Work' Evolves, Security Will Be Key Challenge
Robert Lemos, Contributing Writer,  11/23/2020
Cloud Security Startup Lightspin Emerges From Stealth
Kelly Sheridan, Staff Editor, Dark Reading,  11/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-20934
PUBLISHED: 2020-11-28
An issue was discovered in the Linux kernel before 5.2.6. On NUMA systems, the Linux fair scheduler has a use-after-free in show_numa_stats() because NUMA fault statistics are inappropriately freed, aka CID-16d51a590a8c.
CVE-2020-29368
PUBLISHED: 2020-11-28
An issue was discovered in __split_huge_pmd in mm/huge_memory.c in the Linux kernel before 5.7.5. The copy-on-write implementation can grant unintended write access because of a race condition in a THP mapcount check, aka CID-c444eb564fb1.
CVE-2020-29369
PUBLISHED: 2020-11-28
An issue was discovered in mm/mmap.c in the Linux kernel before 5.7.11. There is a race condition between certain expand functions (expand_downwards and expand_upwards) and page-table free operations from an munmap call, aka CID-246c320a8cfe.
CVE-2020-29370
PUBLISHED: 2020-11-28
An issue was discovered in kmem_cache_alloc_bulk in mm/slub.c in the Linux kernel before 5.5.11. The slowpath lacks the required TID increment, aka CID-fd4d9c7d0c71.
CVE-2020-29371
PUBLISHED: 2020-11-28
An issue was discovered in romfs_dev_read in fs/romfs/storage.c in the Linux kernel before 5.8.4. Uninitialized memory leaks to userspace, aka CID-bcf85fcedfdd.