Not logged in » Login

Recent Discussion:

HarryD | 24.03.2020, 08:46
Thank you all for helping out.The problem has been solved.
Kasazza | 23.03.2020, 18:29
Quote from HarryD:Hi Nuno,Do you maybe have a solution how they can reflash the bios ?In M4 Pri...
bmoeschk | 10.03.2020, 12:18
Hi Harry,BIOS update should still be possible via iRMC. You will need a LAN connection to the server...
May 12 2016

Under Fire: SAP Customers Vulnerable to Six-Year-Old Bug

Boston-based security researchers Onapsis and the US-CERT are urging leading SAP users to finally fix the invoker servlet vulnerability, a flaw that was first detected and patched more than half a decade ago.

As we have noted many times before, you always know something is very wrong in the realm of IT when reports about security breaches, malware propagation or software bugs grab headlines in mainstream media. Two years ago, Heartbleed and its potential fallout were covered extensively in prime time news shows all over the world; some four months earlier, a so-called data breach at the second-largest U.S. retail chain Target that affected up to 110 million customers – roughly one third of the country's population – had caused another major stir. This time around, the spotlight is on Europe's biggest software firm SAP and its top customers: yesterday evening, the world-renowned news agency Reuters ran an exclusive report entitled "Security bug SAP patched years ago draws U.S. government alert." Main sources for the story were a threat report issued by Boston-based security firm Onapsis, a specialist for SAP and Oracle products, and alert TA-16-132A from the US-CERT, which in turn is part of the Department of Homeland Security (DHS). Here's a brief rundown of the essentials:

  • At least 36 global enterprises that are located in or co-owned by entities from the U.S., UK, Germany, China, India and Japan are vulnerable to attacks that exploit a vulnerability in "outdated or misconfigured" SAP systems. According to Onapsis, the list of victims includes "one of the top ten highest annually grossing companies" as well as 13 businesses that generate more than $10 billion in annual revenues. Among the industries affected, their threat report lists oil and gas exploration, telecommunications, life sciences and chemicals, utilities, and various types of high-tech companies, e.g. in sectors like mechanical or weapons engineering.
  • Possible exploits target a vulnerability in the so-called invoker servlet, a built-in functionality in SAP NetWeaver Application Server Java systems (aka SAP Java platforms). Successful attackers could get full access to these platforms and take control of the business information and processes residing on these as well as neighboring systems.
  • The vulnerability affects the J2EE engine and thus practically all key SAP applications and modules, including those for ERP, CRM, SCM, PLM, process integration, and business intelligence. And because it's an application layer issue, it is not limited to specific SAP/OS/database combinations.
  • The invoker servlet vulnerability was fixed in late 2010 when SAP first issued its Security Note 1445998. The functionality itself was disabled by default in SAP applications based on versions 7.20 and 7.30 of the J2EE engine, so users who have not touched this particular setting appear to be safe.
  • According to the Onapsis report, the vulnerability was first disclosed "at a digital forum registered in China" in 2013. Members of that forum continue discussing it to date.

It should be noted here that, even though the security flaw resides in software from SAP, the responsibility for fixing it lies mainly with customers' IT departments. The technical information and product updates required to close the gaping security hole have been available for nearly six years, so in-house developers had ample time to rewrite company-specific application code. Please also note that while the Onapsis report lists only so-called high-value targets, the vulnerability does literally affect all companies – including small and medium businesses – that use antiquated or badly configured SAP systems. To help you and your customers understand and mitigate potential risks, we've attached the full Onapsis report below. Moreover, the security firm will also hold two webcasts on Wednesday next week (May 18) at 9:00 AM and 2:00 PM EST (3:00 and 8:00 PM CET). The registration page for both events is here.

Icon Onapsis Threat Report


Comments on this article

No comments yet.

Please Login to leave a comment.


Please login

Please log in with your Fujitsu Partner Account.


» Forgot password

Register now

If you do not have a Fujitsu Partner Account, please register for a new account.

» Register now