SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, which would allow an unauthenticated attacker to take control of SAP applications.
SAP has patched a critical vulnerability impacting the LM Configuration Wizard component in NetWeaver Application Server (AS) Java platform, which would allow an unauthenticated attacker to take control of SAP applications.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
If you discovered in your neighborhood that burglars were breaking into the back windows of homes, you would likely take appropriate steps to protect your home. Whether you install break-proof windows, motion-sensing lights, or an alarmed security system to alert a break-in, these are actions to reduce the risk of an attack on your home.
When a newly exposed and critical vulnerability with huge repercussions is known, organisations want to patch these systems and applications immediately. With a robust change control and management program, organisations want to prioritise this patch to secure their systems and protect themselves as soon as possible.
Java-based web applications are among the most common on the internet today and remain the most vulnerable to high-risk vulnerabilities like remote code execution, SQL injection, cross-site scripting and other vulnerabilities in the OWASP Top 10.
The SAP NetWeaver AS JAVA vulnerability is particularly concerning since SAP is used in the framework of many organization’s applications guarding their most precious data assets. This vulnerability points to the need already pointed out by NIST (National Institute of Standards and Technologies), for Runtime Application Self-Protection (RASP) – also known as runtime application security, to help protect web applications because Web Application Firewalls and other perimeter defenses have been failing to defend against exploitation of such zero-day vulnerabilities in production.
This is the second major Java-based 0-day in the wild in as many weeks targeting widely deployed, Internet-facing critical software. The challenge of critical bugs is that traditional approaches may take days or even weeks to discover all exploitable instances of vulnerability. Even when a patch is issued, successfully ensuring every application is patched becomes a race against malicious actors that know exactly what software they should be targeting. In the case of the SAP bug, the vulnerability in question would allow an unauthenticated attacker unrestricted access to SAP systems, including ERP, CRM and other programs likely to contain highly sensitive information, and enable them to have privileged access even deeper into the network and systems of the affected organization. With crowdsourced security, the global researcher community is able to mobilize within hours, drastically cutting discovery time and allowing more effective prioritization of the effort that goes into testing and deploying patches and mitigations. Speed is absolutely essential when managing risk in these situations and no other traditional security model is able to match crowdsourcing.