SAP HANA Security is worse than expected – new critical vulnerability found

Palo Alto, CA – October 15, 2015 ERPScan, the most honored provider of SAP Security and Oracle Security solutions and services, warns against the recent update released by SAP that closes several vulnerabilities in SAP HANA. These vulnerabilities affect SAP HANA Security including Cloud and on-premises solutions based on HANA.

According to the latest figures, SAP HANA is implemented in more than 6400 organizations worldwide. One of the vulnerabilities identified by ERPScans head of SAP Threat Intelligence Mathieu Geli can be used to execute code on SAP Hana remotely without authentication, thus seriously affecting SAP HANA Security. As a result, an attacker can gain full access to SAP HANA Platform and all confidential data stored there. The vulnerability has the highest CVSS score in the update – 9.3.

It’s the first time SAP released patch within 2 weeks after notification. ERPScan’s experience in working with SAP from 2007 and helping them to identify and patch 200+ vulnerabilities shows that it usually takes SAP from 3 to record 36 months to release patches.

The urgency may be related to the fact that cloud security is an especially critical area since its issues allow a malicious person to gain access to confidential data of many organizations. Furthermore, SAP hosts HANA in their cloud, and many other cloud service providers host HANA as well. Hence, any vulnerability in HANA known by attackers can lead to mass compromise of thousands of organizations including Forbes 500 companies.

– Mathieu Geli, Head of SAP Threat Intelligence at ERPScan, adds.

Patches for SAP HANA vulnerabilities were released among 29 other SAP Security patches to close vulnerabilities in other SAP Products such as SAP Business Suite, SAP TREX, and SAP NetWeaver J2EE.

ERPScan researchers have recently notified about other SAP HANA vulnerabilities related to default encryption keys which are the same for every SAP installation in the world. Despite SAP pays attention to the development of SAP HANA and its security, the number of discovered vulnerabilities in this platform grows every year. Only for 10 months of 2015, the number of patches for vulnerabilities in SAP HANA has grown by 50% comparing to the last year.