Exclusive: Security bug SAP patched years ago draws U.S. government alert
By Eric Auchard
FRANKFURT (Reuters) - Europe’s biggest software company, SAP (SAPG.DE: Quote), is the subject of a U.S. security alert over a vulnerability the firm disabled six years ago that can still give outside attackers remote control over older SAP systems if the software is not properly patched.
SAP fixed the issue, but left the decision over whether to switch off an easy access setting up to its customers, who may sometimes place a higher priority on keeping their business-critical SAP systems running than on applying security updates.
The U.S. Department of Homeland Security's Computer Emergency Response Team (US-CERT) issued an alert to the security industry on Wednesday advising SAP customers what they need to do to plug the holes. It is one of only three such security warnings the agency has issued so far this year.
Details are here.
Dozens of companies have been exposed to these security gaps in recent years, and a far larger number of SAP customers remain vulnerable, said Onapsis, a firm that specializes in securing business applications from SAP and rival Oracle ORCL.O.
"This is not a new vulnerability,” Mariano Nunez, chief executive of Onapsis, which works with SAP to plug security holes, told Reuters in advance of the U.S. security alert. "Still, most SAP customers are unaware that this is going on."
SAP, whose software acts as the corporate plumbing for many multinationals and which claims 87 percent of the top 2000 global companies as customers, disclosed the vulnerability in 2010 and has offered software patches to fix the flaw.
SAP issued a statement that the vulnerable feature was fixed when the company introduced the software update six years ago. "All SAP applications released since then are free of this vulnerability," the company said in an emailed statement. Continued...