SAP has released an update closing several vulnerabilities in SAP HANA security, just two weeks after it was notified of the issues.
ERP security specialist specialist ERPscan head of SAP threat intelligence, Mathieu Geli, identified an issue that would allow code to be executed on SAP HANA remotely without authentication, allowing an attacker to gain full access to the SAP HANA Platform and all confidential data stored there.
Another vulnerability identified by Geli allowed an attacker to control security logs, allowing an attacker to remain undetected while exploiting other areas of weakness in the system.
The issues affected SAP Cloud and other SAP HANA services.
“Cloud security is an especially critical area, since its issues allow a malicious person to gain access to confidential data of many organisations. Furthermore, SAP hosts HANA in their cloud, and many other cloud service providers host [it] as well. Hence, any vulnerability in HANA known to attackers can lead to mass compromise of thousands of organisations including Forbes 500 companies,” said Geli.
The latest security update, in addition to patches for these vulnerabilities, also included 29 other patches to resolve issues in products such as SAP Business Suite, SAP TREX, and SAP NetWeaver J2EE.