Security News

Enterprise software vendor SAP has released its April 2023 security updates for several of its products, which includes fixes for two critical-severity vulnerabilities that impact the SAP Diagnostics Agent and the SAP BusinessObjects Business Intelligence Platform. In total, SAP has released 24 notes, 19 of which concern new issues of varying importance, and five are updates to previous bulletins.

Software vendor SAP has released security updates for 19 vulnerabilities, five rated as critical, meaning that administrators should apply them as soon as possible to mitigate the associated risks. The flaws fixed this month impact many products, but the critical severity bugs affect SAP Business Objects Business Intelligence Platform and SAP NetWeaver.

A recent part-owned SAP report revealed that for every 1,500 cyberattacks on SAP systems recorded between mid-2020 and March 2021, 300 were successful, with threat actors leveraging faults in unsecured applications to commit financial fraud, deploy ransomware and disrupt business operations. Any vulnerability in SAP is highly concerning owing to its impact potential - should SAP systems be attacked, the consequences can be catastrophic, cascading across multiple risk areas.

SAP runs six main Customer Influence programs accessible via a website open to thousands of members. While users can view each other's names, companies, proposals, and comments, those with knowledge of SAP's back-end can easily get hold of more information, argues SAP consultant Tobias Hofmann in his blog.

There's a trio of critical vulnerabilities, fixed on Tuesday, in SAP business applications that use the ubiquitous Internet Communication Manager: the component that gives SAP products the HTTPS web server they need to connect to the internet or talk to each other. The firm estimated that there were tens of thousands - approximately 40,000 - SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications at the time of disclosure.

Security researchers from Onapsis - the security firm that specializes in security for SAP, Oracle, Salesforce, and other software-as-a-service platforms and that discovered the bugs - joined SAP in coordinating the release of a Threat Report describing the critical vulnerabilities onTuesday. As of Tuesday, Onapsis Research Labs had estimated that there were tens of thousands - approximately 40,000 - SAP customers running more than 10,000 potentially affected, internet-exposed SAP applications.

The US Cybersecurity and Infrastructure Security Agency has warned admins to patch a set of severe security flaws dubbed ICMAD and impacting SAP business apps using Internet Communication Manager. Yesterday, Onapsis Research Labs who found and reported CVE-2022-22536, one of the three ICMAD bugs and the one rated as a maximum severity issue, also cautioned SAP customers to patch them immediately.

SAP has identified 32 apps that are affected by CVE-2021-44228 - the critical vulnerability in the Apache Log4j Java-based logging library that's been under active attack since last week. Thomas Fritsch, an SAP security researcher at enterprise security firm Onapsis, said in his SAP Patch Tuesday writeup that the number of HotNews Notes may seem high, but one of them - #3089831, tagged with a CVSS score of 9.9 - was initially released on SAP's September 2021 Patch Tuesday.

SAP is leading this HR transformation with its human capital management solution, SAP SuccessFactors. With perimeter-based security no longer effective, you need a solution that understands SuccessFactors and can secure it regardless of how people are connecting and the data involved.

"HotNews" is the severity rating that SAP gives to critical vulnerabilities. Given the nine critical patches, Fritsch dubbed last month's light SAP Patch Tuesday the "Calm before the storm." In fact, he said, Tuesday's raft of patches have earned August the dubious honor of being "The most noteworthy SAP Patch Day this year" for customers, he wrote.