Serious security vulnerabilities in SAP NetWeaver discovered positive technologies found serious vulnerabilities in multiple components of SAP NetWeaver platform

the security provider. The error allow an attacker may compromise a company’s IT system. SAP has already made an update available.

 SAP (image: SAP) NetWeaver serves as an interoperable platform for developing Web-based applications, business processes and integrate databases from many sources. The components of SAP portal theme editor, NetWeaver log viewer and are SAP Enterprise Enterpriese portal navigation. The vulnerabilities with 5.4 and 6.1 points are rated in the ten-stage common vulnerability scoring system.

a cross-site scripting vulnerability in Enterprise portal navigation gives unauthorized access from session tokens, login information and other personal information the browser of a user. According to security researchers, an attacker could on behalf of his victim’s HTML content also manipulate and intercept keystrokes.

the error in NetWeaver log viewer in turn that allows you to upload of any files on a server. Because the files also can contain executable code, also a full compromise a database or server is possible. From there, the attack could be extended HANA even on back-end systems such as SAP.

“large companies around the world use SAP, to manage financial flows, products, relations with customers and suppliers, corporate resources, procurement, and other critical business processes. It is vital, to protect the information stored in SAP systems, since any loss of confidential information would be devastating for the company”, said Dmitry Gutsko, head of business system security in positive technologies.

affected users of NetWeaver 7.31 advises he to play the latest update and to use only tools, which are certified for integration with SAP NetWeaver.

in March, SAP had closed in the short term a zero-day vulnerability, the user of the HANA database threatened. Hacker could take over an affected database system using the vulnerability without entering a user name and password. The patch of SAP eliminated two SQL injection vulnerabilities as well as a bug, which went to the rights management.

WEBINAR

what next – BB´s storage & co: the enterprise cloud!

get to know the building blocks of enterprise cloud platform in this audio Webinar. Learn how to achieve maximum freedom and flexibility for your applications. More outcome achieved with less input – specific application examples.

[withmaterialfromRolandMoore-Colyer Silicon.co.uk ]

tip : how well do you know SAP? Check your knowledge – with 15 questions on silicon.de .

Be the first to comment

Leave a Reply