A Security Gap Causes a Cyberattack

A Security Gap Causes a Cyberattack

For the first time in history, the US Department of Homeland Security has published report on security threats to SAP systems (US-CERT Alert for cybersecurity of SAP business applications). The report describes what a security gap had an impact on taking control over SAP systems.

36 organizations were attacked by a vulnerability

At least 36 organizations (with SAP system in their infrastructure) were attacked using a security vulnerability known for about 6 years. The attack was aimed primarily at systems that were not updated in accordance with the patches provided as part of SAP Security Notes. The described vulnerabilities certainly affected SAP NetWeaver Server Java - Invoker Servlet adons.

What systems are most at risk?

As a result, the DHS report indicates that SAP systems having outdated software are vulnerable. This applies to systems running on the SAP Java platform. Due to the fact that the discussed SAP Java platform is the basic technology for many systems, including SAP:
the security gap is located on the application layer of the SAP system, so its occurrence is independent of the operating system and the database supporting the SAP system.

What are the effects of exploiting the vulnerability?

The use of the discussed Invoker Servlet vulnerability certainly allows remote, unauthenticated, full control over the compromised systems. Therefore, it allows full access to data and business processes on the systems (or even access to other systems connected with SAP).

How to protect yourself?

The surest solution is to use and use SAP Security Note 1445998 and disable the Invoker Servlet.

Comment from our expert

As this vulnerability has been known for at least 6 years, it seems unlikely that this vulnerability was exploited by burglars. It is also worrying that the situation affects so many global systems. What does it mean? Due to the fact that the subject of data security is not approached systematically it causes such omissions at the level of securit The main difficulty lies in convincing decision-makers about the need to invest in solutions that automate SAP security processes.
Daniel Sikorski / SAP Security / BASIS
contact an expert