ERP News

US sounds alarm after SAP bug found affecting multinationals

985 0
The U.S. government is warning major corporations to check the configuration of their SAP software systems after a computer security company discovered at least 36 global enterprises were still vulnerable to a significant bug patched more than five years ago.

The bug allows hackers to remotely gain full administrative access to SAP systems and affects at least 18 of the company’s software systems, according to security vendor Onapsis.

Using it, attackers can gain “complete control of the business information and processes on these systems, as well as potential access to other systems,” the U.S. Department of Homeland Security said in a bulletin. It’s only the third time this year the department has issued such a notice.

Whether a businesses cloud platform is vulnerable depends on its specific configuration and any custom applications that are running.

During its research, Onapsis discovered major companies in the U.S., U.K., Germany, China, India, Japan, and South Korea were vulnerable. The company’s work covered a number of industries including oil and gas, telecommunications, utilities, retail, automotive, and steel manufacturing.
As an immediate response, DHS recommends companies follow SAP Security Note 1445998 and disable the Invoker Servlet. It’s this bug that is being leveraged with a sensitive SAP Java application to gain admin access to systems, said Onapsis.

SAP said the Invoker Servlet was disabled in NetWeaver 7.20, so all SAP applications released since 2010 have been free of this vulnerability.

So why is the bug still a problem?

To read this article in full, please click here

Leave A Reply

Your email address will not be published.

*

code