SAP Security Patch Day in October
Every second Tuesday of the month, SAP issues patch releases. For October, the set of security notes consists of 10 items (3 of them are additional ones), which is less than the previous month. Each note includes the fixed vulnerabilities discovered in different SAP products.
The highest CVSS (Common Vulnerability Scoring System) base score of patch update is 9.1, which is Hot News by priority. This fix addresses an Information Disclosure vulnerability that allows an attacker to disclose sensitive information.
Three of 10 updates relate to Cross-site scripting vulnerabilities that enable malefactors to inject malicious scripts into web pages and to bypass access controls and learn business-critical information. The other three notes refer to the Missing authorization checks, which can help to access a service without any authorization procedures and launch other attacks.
SAP JAVA platform has more vulnerabilities than other platforms in October’s set of security notes. Four security notes refer to JAVA.
Organizations running SAP have to secure data that SAP stores since attacks on their systems allow catching or changing different business-critical information.
Therefore, the vendor recommends that the customer visits the SAP Support Portal and applies patches to protect the landscape.
About SAP ERP Data Breaches
For the past decade, almost every year we saw an increase in data breaches, some made headline news for several months. You may ask, what about SAP ERP security that is so critical for your business operations?
In 2019 some studies were conducted. They show that most organizations have had an ERP breach in the last 2 years. The compromised information includes sales data, HR data, intellectual property, and financial data.
This cannot but raise concerns particularly the possibility of insider trading and further fraudulent actions.
What are the most common S/4 HANA security and remediation challenges?
SAP S/4HANA is an integrated ERP system that runs on our in-memory database, SAP HANA.
All SAP customers can be broadly divided into three groups: those who go straight to S/4 HANA, having not previously run SAP; companies opting for migration; and redesigning business processes and implementing the new platform from scratch.
The security issues of all these organizations are almost the same. Four of them are worth considering:
- Critical access and SoD risks of SAP standard roles
- Business process redesigns resulting in the change of role designs
- Lack of tools to identify S/4 HANA access risks and SoDs
- Limited knowledge or expertise to recommend appropriate role designs or controls
Ensuring the environment is secured is paramount in order to avoid costly remediation at a later point.