Press Release

Onapsis Issues 15 Advisories Affecting SAP HANA and SAP Trex

High-profile cyber-risks reveal unauthorized users could access arbitrary business information, and tamper with audit logs to hide evidence of attacks

Boston, MA – July 21, 2016 – Onapsis, the global experts in business-critical application security, today released new security advisories detailing vulnerabilities in SAP HANA and SAP Trex. Included in the advisories is a “critical risk” vulnerability that could be used to gain high privileges allowing unrestricted access to business information, and to modify arbitrary database information. These vulnerabilities pose a potential risk to over 10,000 SAP customers running different versions of SAP HANA.

“This set of advisories is unique as most of the vulnerabilities attackers can leverage are undervalued. Meaning, the way in which they can be exploited is not always obvious and can go undetected. For example, one of the critical vulnerabilities that can be exploited creates an error message which includes sensitive information about its environment, users, or associated data,” said Sebastian Bortnik, Head of Research, Onapsis.

SAP HANA, at the heart of SAP’s cloud offerings, is the next-generation database and application platform. SAP HANA includes capabilities to transform transactions, analytics, text analysis, predictive and spatial processing so businesses can operate in real-time. Depending on an organization’s use of these platforms, “critical risk” vulnerabilities could be used by cyber attackers to gain access to mission-critical information including customer data, product pricing, financial statements, employee information, supply chains, business intelligence, budgeting, planning and forecasting.

Vulnerabilities affecting SAP HANA include:

Critical Risk

  • SAP HANA SYSTEM User Brute Force Attack
    • By exploiting this vulnerability, a remote unauthenticated attacker could receive high privileges on the HANA system with unrestricted access to any business information.

High Risk

  • SAP HANA Arbitrary Audit Injection via HTTP Requests
    • By exploiting this vulnerability, an attacker could tamper the audit logs, hiding evidence of an attack to a HANA system.
  • SAP HANA Arbitrary Audit Injection via SQL Protocol
    • By exploiting this vulnerability, an attacker could tamper the audit logs, hiding his evidence of an attack to a HANA system.
  • SAP HANA Potential Remote Code Execution
    • By exploiting this vulnerability, an unauthenticated attacker could access and modify any information indexed by the SAP system.

Vulnerabilities affecting SAP TREX include:

Critical Risk

  • SAP TREX Remote Command Execution
    • By exploiting this vulnerability, an unauthenticated attacker could access and modify any information indexed by the SAP system.

High Risk

  • SAP TREX Arbitrary File Write
    • By exploiting this vulnerability an unauthenticated attacker could modify any information indexed by the SAP system.
  • SAP TREX Remote Directory Traversal
    • By exploiting this vulnerability, a remote unauthenticated attacker could access arbitrary business information from the SAP system.
  • SAP TREX Remote File Read
    • By exploiting this vulnerability, a remote unauthenticated attacker could access arbitrary business information from the SAP system.

The advisories are released by the Onapsis Research Labs, a team of security experts who combine in-depth knowledge and experience to deliver technical analysis with business-context, and provide sound security guidance to the market. The team has reported more than 300 SAP and Oracle vulnerabilities, and has released over 150 advisories to date.

Each advisory details the business-context relevance of an identified vulnerability, including impact on a business, a description of the affected components, and steps to resolution such as patch download links and recommended security fixes.

The advisories are publicly available at: https://onapsis.com/research/advisories.

On August 18th at 9:00am and 2:00pm EDT, Onapsis will be hosting live webcasts discussing these vulnerabilities. For more information, or to register please visit: https://onapsis.com/understanding-critical-vulnerabilities-sap-hana.

About Onapsis

Onapsis provides the most comprehensive solutions for securing SAP and Oracle enterprise applications. As the leading experts in SAP and Oracle cyber-security, Onapsis’ patented solutions enable security and audit teams to have visibility, confidence and control of advanced threats, cyber risks and compliance gaps affecting their enterprise applications.

Headquartered in Boston, MA, Onapsis serves over 200 customers including many of the Global 2000. Onapsis’ solutions are also the de-facto standard for leading consulting and audit firms such as Accenture, Deloitte, E&Y, IBM, KPMG and PwC.

Onapsis solutions include the Onapsis Security Platform, which is the most widely-used SAP-certified cyber-security solution in the market. Unlike generic security products, Onapsis’ context-aware solutions deliver both preventative vulnerability and compliance controls, as well as real-time detection and incident response capabilities to reduce risks affecting critical business processes and data. Through open interfaces, the platform can be integrated with leading SIEM, GRC and network security products, seamlessly incorporating enterprise applications into existing vulnerability, risk and incident response management programs.

These solutions are powered by the Onapsis Research Labs which continuously provide leading intelligence on security threats affecting SAP and Oracle enterprise applications. Experts of the Onapsis Research Labs were the first to lecture on SAP cyber-attacks and have uncovered and helped fix hundreds of security vulnerabilities to-date affecting SAP Business Suite, SAP HANA, SAP Cloud and SAP Mobile applications, as well as Oracle JD Edwards and Oracle E-Business Suite platforms.

Onapsis has been issued U.S. Patent No. 9,009,837 entitled “Automated Security Assessment of Business-Critical Systems and Applications,” which describes certain algorithms and capabilities behind the technology powering the Onapsis Security Platform™ and Onapsis X1™ software platforms. This patented technology is recognized industry wide and has gained Onapsis the recognition as a 2015 SINET 16 Innovator.

For more information, please visit www.onapsis.com, or connect with us on Twitter, Google+, or LinkedIn.

Onapsis and Onapsis Research Labs are registered trademarks of Onapsis, Inc. All other company or product names may be the registered trademarks of their respective owners.