SAP has patched a series of critical vulnerabilities in its cloud-based business platform HANA which could allow for a full system compromise without the need of a username and password.
Security firm Onapsis discovered various high-risk vulnerabilities affecting HANA-based products, including HANA 2, S/4 HANA and HANA-based Cloud applications.
The Onapsis Research Labs discovered over 500 vulnerabilities in SAP and Oracle business applications.
SAP released five HANA patches to fix a range of vulnerabilities uncovered in recent months. Of the five security notes, just two are rated with a very high and high criticality.
The vulnerabilities affect a specific component, dubbed SAP HANA User Self Service, which is not enabled by default.
The vulnerability, which achieved a very high rank of 9.8 on the 10-point CVSS vulnerability assessing-scale, can allow an attacker to take control of the system.
SAP also fixed a security note 2429069, rated with a CVSS score of 8.8. The vulnerability could enable an attacker to elevate privileges by impersonating another user in the system.
The issue only affects systems running SAP HANA 2.0 SPS 00 revision 0 that expose SAP HANA extended application services, classic model to an untrusted network.
Other bugs fixed include several denial of service conditions, cross site scripting bugs, and SQL injections.
Onapsis head of research Sebastian Bortnik said: “This level of access would allow an attacker to perform any action over the business information and processes supported by HANA, including creating, stealing, altering, and/or deleting sensitive information.
“If these vulnerabilities are exploited, organizations may face severe business consequences.”
SAP security lead Holger Mack said: “All security issues are fixed in SAP HANA revisions 122.7 or higher for SAP HANA 1.0 and revision 1 for SAP HANA 2.0 SPS 00. We expect very few SAP HANA customers to be affected by these issues.”
The security patches were developed by Onapsis and SAP’s product security & engineering teams.