This week you will have seen from our twitter account, (@Onapsis) or other security news feeds like PacketStorm regarding the publication of information about six advisories discovered by the Onapsis Research Labs effecting SAP. In a past blog, Securing Your SAP Through Research, I talked about the importance and value of the security research we do here at Onapsis. Additionally, I have discussed the fact that we have seen automated, widespread attempts to compromise SAP systems as well as very targeted attacks and the implications of those attacks.
If you look at the latest six advisories released by the Onapsis Research Labs which are listed on our advisory page you will see they impact across a variety of SAP technologies that have very different delivery methods. There are three vulnerabilities effecting SAP HANA, two targeting the Extended Application Services (XS); one of which is XSS in the Administration Tool for SAP HANA XS and the third is an authentication bypass. A highlight for me was the discovery of a hardcoded user in SAP FI Manager Self-Service, which effects every installation of FI Manager.
It is very important that you stay informed by reading about the advisories we publish and also the monthly Security Notes releases by SAP and that you evaluate their relevance to your critical systems and the risk they represent to those critical systems.