Security News

SAP customers should update their installations to close a security vulnerability that can be exploited to commandeer the software by anyone who can reach it. Dubbed RECON, aka Remotely Exploitable Code On NetWeaver, by its discoverers, security shop Onapsis, the bug in SAP's NetWeaver AS JAVA allows a remote unathenticated hacker to take over a vulnerable NetWeaver-based system by creating admin accounts without any authorization.

A critical vulnerability, carrying a severity score of 10 out of 10 on the CvSS bug-severity scale, has been disclosed for SAP customers. The bug has been named RECON by the Onapsis Research Labs researchers that found it, and it affects more than 40,000 SAP customers, they noted.

A serious vulnerability that could impact thousands of organizations can allow hackers to take complete control of SAP systems. Onapsis says more than 40,000 SAP customers could be affected by the RECON bug and the cybersecurity firm estimates that there are at least 2,500 vulnerable systems that can be targeted directly from the internet, including in North America, Europe and the Asia-Pacific region.

SAP has issued patches to fix a critical vulnerability that can lead to total compromise of vulnerable SAP installations by a remote, unauthenticated attacker. The flaw affects a variety of SAP business solutions, including SAP Enterprise Resource Planning, SAP Supply Chain Management, SAP HR Portal, and others.

SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server Java platform, allowing an unauthenticated attacker to take control of SAP applications. "If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account, which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications," the US Cybersecurity and Infrastructure Security Agency said in an advisory.

SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server Java platform, allowing an unauthenticated attacker to take control of SAP applications. "If successfully exploited, a remote, unauthenticated attacker can obtain unrestricted access to SAP systems through the creation of high-privileged users and the execution of arbitrary operating system commands with the privileges of the SAP service user account, which has unrestricted access to the SAP database and is able to perform application maintenance activities, such as shutting down federated SAP applications," the US Cybersecurity and Infrastructure Security Agency said in an advisory.

The most important of these patches are two Hot News Security Notes addressing critical vulnerabilities in SAP Liquidity Management for Banking and SAP Commerce. Also rated Hot News and featuring a CVSS score of 9.8 is a Security Note addressing hard-coded user credentials in SAP Commerce and SAP Commerce Data Hub.

Basis Technologies, creators of the most complete DevOps and test automation platform engineered specifically for SAP systems, announced the introduction of ActiveControl 8.3, the newest version of the company's innovative DevOps automation solution. This market-leading technology enables on-demand delivery of SAP change through the adoption of agile, DevOps and CI/CD. ActiveControl 8.3 helps companies with SAP systems to achieve greater business agility and faster delivery of innovation by enabling adoption of new development methods, improving the quality of SAP change, and increasing productivity through elimination of manual effort.

Censia announced that its Talent Intelligence Platform is now an SAP-Endorsed App, available for online purchase on SAP App Center. Censia's Talent Intelligence can find, evaluate, and rank talent inside and outside the company, in a matter of seconds, and delivers all talent in a single pipeline directly inside the customer's ATS. By using Censia, SAP customers can access the best state-of-the-art recruiting capabilities directly within SAP SuccessFactors.

ASE is used by more than 30,000 organizations globally - including 90 percent of the top banks and security firms worldwide, according to SAP. Researchers disclosed six vulnerabilities that they discovered while conducting security tests for the latest version of the software, ASE 16. While SAP has released patches for both ASE 15.7 and 16.0 in its May 2020 update, researchers disclosed technical details of the flaws on Wednesday, saying "There is no question" that the patches should be applied immediately if they haven't been already.