Are you a business user of an SAP system ? Then you may have seen this report on SAP vulnerabilities, that originates from the BlackHat conference being held in Las Vegas this week just gone. If you help support a SAP site, then you may be required to explain the report to your business. Whatever your responsibilities, the first thing to do is look at the SAP OSS Note 1616259 -Briefing at Black Hat conference on August 4th, 2011.
The article appears to be based on a presentation called A Crushing Blow At the Heart of SAP J2EE Engine). While it's easy to be cynical (the author, Alexandr Polyakov, works for Digital Security Research Group who push their SAP Security Consulting Services and their product ERPScan), the site does provides useful lists of vulnerabilities and exploits for various pieces of software, including both SAP and Oracle. Curiously, though, all the SAP related vulnerabilities that I looked at included one or more SAP OSS notes in the solutions. Just as curiously, onapsis (coincidentally, another organisation who have product and services to sell) have a different (though similar) list of SAP vulnerabilities.
OK, enough cynicism. I make a living out of doing work for SAP Customers as well. OSS Note 1616259 mentions the specific vulnerability (as yet undisclosed), but it also references a large number of other OSS Notes that provide corrections for other SAP Security vulnerabilities. In short, despite my fun, security errors do exist in SAP products, so patch early and patch often, when it comes to security issues.
Comments