| FRANKFURT, March 14
FRANKFURT, March 14 Europe's top software maker
SAP said on Tuesday it had patched vulnerabilities in
its latest HANA software that had a potentially high risk of
giving hackers control over databases and business applications
used to run big multinational firms.
While hacks on phones, websites and computers that consumers
rely on every day grab headlines, vulnerabilities in big
business software are more lucrative to attackers as these tools
store data and run transactions which are the lifeblood of
The latest security weaknesses, known in industry parlance
as "zero day" vulnerabilities, rank among the most critical ever
found in HANA, the engine that runs SAP’s latest database, cloud
and other more traditional business apps, according to Onapsis,
the security company which uncovered these issues.
SAP software acts as the corporate plumbing for many
multinationals and the company claims 87 percent of the top
2,000 global companies as customers.
Onapsis said vulnerabilities lay in a HANA component known
as "User Self Service" (USS) which would allow malicious
insiders or remote attackers to fully compromise vulnerable
systems, without so much as valid usernames and passwords.
It reported 10 HANA vulnerabilities to SAP less than 60 days
ago, which the German software maker fixed in near-record time,
according to interviews with executives of both companies.
The resulting patch issued by SAP on Tuesday was rated by it
as 9.8 on a scale of 10, "very high" in terms of relative risk
to its customers. SAP is releasing five HANA patches this week
to fix a range of vulnerabilities uncovered in recent months.
"SAP has done a great job by releasing fixes much faster
than in past situations," Onapsis Chief Executive Mariano Nunez
told Reuters in an interview.
Customers must in turn choose when to apply such patches to
software that runs their most critical corporate functions, a
process that may take months or years, in rare cases. They must
balance security risks against operational demands.
SAP executives urged security managers working for its
customers to patch relevant systems.
"There has not been one case where a customer who applied
the recommended patches has been affected," Siddhartha Rao, vice
president of SAP Product Security Response, said of the six
years he has been on the job. "We currently expect there will
not be that many customers affected by these issues," he said.
Last May, however, the U.S. Department of Homeland Security
issued an alert advising SAP customers they needed to urgently
plug holes for which SAP already had offered patches in 2010,
but which some customers failed to adopt, leaving dozens exposed
to hacker break-ins afterward. (reut.rs/2mkTVgI)
Three dozen enterprises were found to have telltale signs of
unauthorised access due to outdated or misconfigured SAP
NetWeaver Java systems, Onapsis said at the time.
Onapsis helps secure more than 200 SAP customers ranging
from Schlumberger to Sony Corp, Westinghouse
and the U.S. Army. It also identifies security vulnerabilities
for corporate customers in rival systems from Oracle.
Giving HANA customers breathing room, the USS component
first offered by SAP in October 2014 is not activated by
default, but must be specially enabled, Onapsis said.
It has identified two companies – an energy company and a
retailer – where vulnerabilities were found and fixed. Companies
which are not using USS features are unaffected, Onapsis said.
Technical details can be found on SAP’s security blog (goo.gl/11Dz5w).
There is no evidence hackers have taken advantage so far, the
Last year, the company issued more than 160 patches in all,
SAP said. Ten percent of these were HANA related, Onapsis added.
(Reporting by Eric Auchard; Editing by Stephen Coates)