SAP Security Notes September 2017: No Hot News updates does not mean you can become complacent

It’s the second Tuesday of the month and another set of SAP Security Notes has been released. Since the previous Patch Day in August, SAP has released 32 notes, including 16 out-of-date and another 16 released this morning. One striking observation is that this is the fifth month in a row without a Hot News note; the highest category for notes based on risk. In addition to that, for the three high-priority notes, two of them are updates for a July note and the other one only affects a single country making the risk much smaller.

Analysis of the SAP HANA Internal Communication Interface

SAP HANA is a very fast growing product in many SAP environments, that has moved away from just an in-memory database to a complete application plus database system. In today’s blogpost we’ll talk about the SAP HANA internal communication interface, discuss its use in different scenarios, the configuration parameters involved and the different options that SAP HANA administrators should consider to secure their systems. We’ll also perform an analysis of the default configuration introduced in SPS 12 reviewing different parameters and how they impact overall security.

Protecting Oracle E-Business Suite: Encrypt web interface (HTTPS)

After the release of our threat report about a critical vulnerability on “Unauthorized Business Data Exfiltration Vulnerability”, we are continuing our series of blogpost about Oracle E-Business Suite security. To keep our readers informed about security risks and mitigation techniques to Oracle’s biggest ERP, E-Business Suite (EBS), we will continue to publish blogs on a monthly basis.

TMSADM user with Default Password: another risk in your SAP system

As our readers know, we continuously share details to raise awareness and enable organizations to further secure their SAP infrastructure. In this specific blog, we will focus on one of the well-known SAP default users: TMSADM. What the security implications are of having it enabled with default passwords, and how to properly protect it? As you can imagine, it is not as simple as it sounds, so that’s why we created this blogpost for you.

SAP Security Notes August 2017: Remote Code Injection Vulnerability in JAVA Component

It’s the second Tuesday of the month, meaning another round of monthly SAP notes have been released. Below is our monthly analysis regarding the SAP vulnerabilities fixed, to help you keep your ERP environment safe and protected. For another month, there are no new notes tagged as Hot News, now making a four month streak in which notes of this severity are absent. There is still a need for action however, since three notes were reported as having High priority.

Pages