Five-Year-Old SAP Vulnerability Affects Over 500 Companies, Not 36

Share this…

Onapsis and US-CERT warned about attacks against 36 companies, another security firm begs to differ. The impact of a five-year-old security issue affecting SAP customers that has recently resurfaced has been greatly underestimated, says a team of researchers who revealed that the number of affected companies is actually fifteen times larger.

At the start of the month, security firm Onapsis published a report and revealed attacks against 36 companies that have failed to install an SAP security patch issued in 2010.

Security issue allows complete takeover over SAP platforms

The company’s report was worrisome because the flaw which attackers exploited allowed them to gain complete control over SAP business platforms via a bug in Invoker Servlet, one of the many components of SAP’s NetWeaver Application Server Java systems (SAP Java platforms).

The US-CERT (Computer Emergency Response Team), a division of the US Department of Homeland Security, took notice of the huge security issue, and two days ago, issued a public alert to all US companies.

US-CERT and Onapsis recommended that affected companies apply the patch, or disable the Invoker Servlet component altogether.

500+, not 36, says ERPScan founder

Things changed yesterday, when ERPScan, a security vendor known for its expertise in Java enterprise platforms and monthly contributions to Oracle and SAP security patches, also issued a report on this topic.

ERPScan’s founder, Alexander Polyakov, revealed that they detected at least 533 companies vulnerable to these issues.

“Those services can have unique names so that it’s not possible to get the final figure (approximately 500+ systems). Taking into account that most of them belong to Fortune 2000 companies, it’s quite critical issue to discuss,” Polyakov said.

ERPScan’s founder also revealed that one of the reasons why so many companies skipped SAP’s patch may have been the cumbersome process of installing and testing the fix.

A company’s employee would have had to see if an invoker servlet was enabled by default, then disable it, and then reboot the entire server to double-check. This is much more complicated than running a command-line update operation and moving on with your day.

Location of companies attacked using the SAP 2010 issue