Expert Comments

Expert Insight On SAP Critical Bug Allows Unrestricted Access to ERP, CRM

Expert(s): Security Experts
Expert(s): Security Experts

SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, which would allow an unauthenticated attacker to take control of SAP applications.

Experts Comments

Dot Your Expert Comments
James MacQuiggan
July 15, 2020
Security Awareness Advocate
KnowBe4

When a new exposed and critical vulnerability with huge repercussions is known, organisations want to patch these systems and applications immediately
If you discovered in your neighborhood that burglars were breaking into the back windows of homes, you would likely take appropriate steps to protect your home. Whether you install break-proof windows, motion-sensing lights, or an alarmed security system to alert a break-in, these are actions to reduce the risk of an attack on your home. When a newly exposed and critical vulnerability with huge repercussions is known, organisations want to patch these systems and applications immediately. With .....Read More
If you discovered in your neighborhood that burglars were breaking into the back windows of homes, you would likely take appropriate steps to protect your home. Whether you install break-proof windows, motion-sensing lights, or an alarmed security system to alert a break-in, these are actions to reduce the risk of an attack on your home. When a newly exposed and critical vulnerability with huge repercussions is known, organisations want to patch these systems and applications immediately. With a robust change control and management program, organisations want to prioritise this patch to secure their systems and protect themselves as soon as possible.  Read Less
Jayant Shukla
July 15, 2020
CTO and Co-Founder
K2 Cyber Security

The SAP NetWeaver AS JAVA vulnerability is particularly concerning since SAP is used in the framework of many organization’s applications.
Java-based web applications are among the most common on the internet today and remain the most vulnerable to high-risk vulnerabilities like remote code execution, SQL injection, cross-site scripting and other vulnerabilities in the OWASP Top 10. The SAP NetWeaver AS JAVA vulnerability is particularly concerning since SAP is used in the framework of many organization’s applications guarding their most precious data assets. This vulnerability points to the need already pointed out by NIST.....Read More
Java-based web applications are among the most common on the internet today and remain the most vulnerable to high-risk vulnerabilities like remote code execution, SQL injection, cross-site scripting and other vulnerabilities in the OWASP Top 10. The SAP NetWeaver AS JAVA vulnerability is particularly concerning since SAP is used in the framework of many organization’s applications guarding their most precious data assets. This vulnerability points to the need already pointed out by NIST (National Institute of Standards and Technologies), for Runtime Application Self-Protection (RASP) – also known as runtime application security, to help protect web applications because Web Application Firewalls and other perimeter defenses have been failing to defend against exploitation of such zero-day vulnerabilities in production.  Read Less
Casey Ellis
July 15, 2020
CTO and Founder
Bugcrowd

The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability.
This is the second major Java-based 0-day in the wild in as many weeks targeting widely deployed, Internet-facing critical software. The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability. Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting. In the case of the SAP bug, the.....Read More
This is the second major Java-based 0-day in the wild in as many weeks targeting widely deployed, Internet-facing critical software. The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability. Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting. In the case of the SAP bug, the vulnerability in question would allow an unauthenticated attacker unrestricted access to SAP systems, including ERP, CRM and other programs likely to contain highly sensitive information, and enable them to have privileged access even deeper into the network and systems of the affected organization. With crowdsourced security, the global researcher community is able to mobilize within hours, drastically cutting discovery time and allowing more effective prioritization of the effort that goes into testing and deploying patches and mitigations. Speed is absolutely essential when managing risk in these situations and no other traditional security model is able to match crowdsourcing.  Read Less

Dot Your Expert Comments


Only for registered and approved experts. Please register before providing comments. Register here
* By using this form you agree with the storage and handling of your data by this web site.
Submit
0
FacebookTwitterLinkedinWhatsappEmail

You may also like

Iran Nuclear Facility Potential Cyber Attack – What Expert Says

Industry Leaders On Android.Joker Malware

Expert Reaction On Pulse Secure VPN Users Can’t Login Due...

New Vulnerabilities Put Millions Of IoT Devices At Risk

Expert Comment On Darktrace Set For IPO

Fake App Attacks On The Rise, As Malware Hides In...

Expert On Study That Brits Using Pets’ Names As Online...

Expert Reaction On Europol Publishes Its Serious And Organised Crime...

Fake Netflix App Allows Hackers to Hijack WhatsApp

Hackers Pretend To Be Your Friend In The Latest WhatsApp...