The bug allows hackers to remotely gain full administrative access to SAP systems and affects at least 18 of the company’s software systems, according to security vendor Onapsis.
Using it, attackers can gain “complete control of the business information and processes on these systems, as well as potential access to other systems,” the U.S. Department of Homeland Security said in a bulletin. It’s only the third time this year the department has issued such a notice.
Whether a businesses cloud platform is vulnerable depends on its specific configuration and any custom applications that are running.
During its research, Onapsis discovered major companies in the U.S., U.K., Germany, China, India, Japan, and South Korea were vulnerable. The company’s work covered a number of industries including oil and gas, telecommunications, utilities, retail, automotive, and steel manufacturing.
As an immediate response, DHS recommends companies follow SAP Security Note 1445998 and disable the Invoker Servlet. It’s this bug that is being leveraged with a sensitive SAP Java application to gain admin access to systems, said Onapsis.
SAP said the Invoker Servlet was disabled in NetWeaver 7.20, so all SAP applications released since 2010 have been free of this vulnerability.
So why is the bug still a problem?