Expert Insight On SAP Critical Bug Allows Unrestricted Access to ERP, CRM

SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, which would allow an unauthenticated attacker to take control of SAP applications.

Experts Comments

July 15, 2020
James MacQuiggan
Security Awareness Advocate
KnowBe4
If you discovered in your neighborhood that burglars were breaking into the back windows of homes, you would likely take appropriate steps to protect your home. Whether you install break-proof windows, motion-sensing lights, or an alarmed security system to alert a break-in, these are actions to reduce the risk of an attack on your home. When a newly exposed and critical vulnerability with huge repercussions is known, organisations want to patch these systems and applications immediately. With .....Read More
If you discovered in your neighborhood that burglars were breaking into the back windows of homes, you would likely take appropriate steps to protect your home. Whether you install break-proof windows, motion-sensing lights, or an alarmed security system to alert a break-in, these are actions to reduce the risk of an attack on your home. When a newly exposed and critical vulnerability with huge repercussions is known, organisations want to patch these systems and applications immediately. With a robust change control and management program, organisations want to prioritise this patch to secure their systems and protect themselves as soon as possible.  Read Less
July 15, 2020
Jayant Shukla
CTO and Co-Founder
K2 Cyber Security
Java-based web applications are among the most common on the internet today and remain the most vulnerable to high-risk vulnerabilities like remote code execution, SQL injection, cross-site scripting and other vulnerabilities in the OWASP Top 10. The SAP NetWeaver AS JAVA vulnerability is particularly concerning since SAP is used in the framework of many organization’s applications guarding their most precious data assets. This vulnerability points to the need already pointed out by NIST.....Read More
Java-based web applications are among the most common on the internet today and remain the most vulnerable to high-risk vulnerabilities like remote code execution, SQL injection, cross-site scripting and other vulnerabilities in the OWASP Top 10. The SAP NetWeaver AS JAVA vulnerability is particularly concerning since SAP is used in the framework of many organization’s applications guarding their most precious data assets. This vulnerability points to the need already pointed out by NIST (National Institute of Standards and Technologies), for Runtime Application Self-Protection (RASP) – also known as runtime application security, to help protect web applications because Web Application Firewalls and other perimeter defenses have been failing to defend against exploitation of such zero-day vulnerabilities in production.  Read Less
July 15, 2020
Casey Ellis
CTO and Founder
Bugcrowd
This is the second major Java-based 0-day in the wild in as many weeks targeting widely deployed, Internet-facing critical software. The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability. Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting. In the case of the SAP bug, the.....Read More
This is the second major Java-based 0-day in the wild in as many weeks targeting widely deployed, Internet-facing critical software. The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability. Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting. In the case of the SAP bug, the vulnerability in question would allow an unauthenticated attacker unrestricted access to SAP systems, including ERP, CRM and other programs likely to contain highly sensitive information, and enable them to have privileged access even deeper into the network and systems of the affected organization. With crowdsourced security, the global researcher community is able to mobilize within hours, drastically cutting discovery time and allowing more effective prioritization of the effort that goes into testing and deploying patches and mitigations. Speed is absolutely essential when managing risk in these situations and no other traditional security model is able to match crowdsourcing.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.