Cyber security vulnerabilities have been discovered in several components of SAP’s NetWeaver platform by security firm Positive Technologies.
The flaws in NetWeaver, which acts as an interoperable platform for building web-based apps that integrate business processes and databases from numerous sources, were found to enable hackers to carry out activities that could potentially lead to the compromise of a company’s IT systems.
Cross-site scripting (XSS) vulnerabilities were found in the SAP Enterprise Portal Navigation (CVSSv3 score 6.1) and SAP Enterprise Portal Theme Editor (three flaws with CVSSv3 scores 5.4, 6.1, and 6.1). While a vulnerability that enables arbitrary file upload was found in SAP’s NetWeaver Log Viewer.
With the NetWeaver Log Viewer flaw, the consensuses of a successful cyber attack are even worse as a file upload could compromise an entire targeted systems or database as arbitrary code can be uploaded and executed on a server, rather than an isolated system, leading to attacks on back-end systems, such as database platforms like SAP’s own HANA.
“Large companies all over the world use SAP to manage financial flows, product lifecycle, relationships with vendors and clients, company resources, procurement, and other critical business processes. It is vital to protect the information stored in SAP systems as any breach of confidential information could have a devastating impact on the business.” said Dmitry Gutsko, head of the business system security unit at Positive Technologies.
Users of the NetWeaver 7.31 are advised to ensure their system has the latest update and use tool certified for integration with SAP NetWeaver.
While a patch may take care of the flaws, the security holes are not great for SAP’s reputation, especially since it had to recently rush to squash security bugs in its HANA database platform.
Quiz. Are you a security guru?
Thoma Bravo agrees to acquire Darktrace for $5.32 billion in cash, delivering some welcome news…
Customer adoption of AI services embedded in cloud services continues to deliver results for Microsoft,…
TikTok's 'secret source' algorithm is so core to ByteDance, it would rather shut down US…
After relocating from California to Texas in 2020, Oracle's Larry Ellison now reveals plan to…
Share price hit after Meta admits heavy AI spending plans, after posting strong first quarter…
For third time Google delays phase-out of third-party Chrome cookies after pushback from industry and…