SAP Security patching
At ERP-Security we spend a lot of time discovering new SAP vulnerabilities and reporting these to SAP. This not only helps to improve SAP products, it also keeps us sharp as security researchers.
In June and July, SAP released 4 vulnerabilities reported by us:
SAP Security Notes – reported by ERP-SEC June – July 2016
Two of these SAP Security Notes, 2306709 and 2301837, were even released as a HOTNEWS notes, the highest risk category SAP assigns to vulnerabilities, with CVSS scores of 9.1 and 9.9 respectively. If an attacker successfully exploits this weakness, full control is gained over the SAP application, including all business related/relevant data.
It is therefore imperative to follow the periodic release of SAP security notes and apply the ones that are relevant to your SAP systems.
How to start?
When you decide to apply the SAP security notes, the question arises how to correctly identify which ones are applicable to a given SAP system.
In a Security Blog “Security Patch Process FAQ” (FAQ #26) SAP states that the traditional method of using transaction ST14 with report RSECNOTE has become obsolete and that the “System Recommendations” function in the Solution Manager should be used instead.
However, when we tried out the System Recommendations on a newly installed Netweaver 750 system, it returned many Recommended OSS Notes that were not applicable to the version of the system. It even recommended an Oracle-specific Note, although our system had a MaxDB database.
There is an alternative: our security scanner Protect4S provides an easy and reliable method of selecting the appropriate security notes for all SAP system types. In fact, you could achieve as much as 50% risk reduction in a single day by applying OSS Notes and SAP parameter changes, as we demonstrated in an earlier blog.
It’s quite simple really
Using Protect4S, the periodic application of security notes becomes quite simple and painless.
After each SAP Security patch day, we release a new Protect4S support package which contains the latest Security notes (and more). After it has been applied, Protect4S will scan all your SAP systems and detect the presence of the latest vulnerabilities.
When these are found, a mitigation work list is created that can be subsequently be executed by the technical consultants who maintain your systems.
After the security notes are applied, another scan will verify their successful implementation. In addition, the reduction of risk will be visibly expressed in a graph that shows the before and -after situation:
Risk History overview
In this way SAP customers are able to prove to third parties like auditors or Data Protection authorities that they are actively managing and mitigating risk.
- Protect4S enables a simple 3-step SAP Security Process– scan -> analyse -> mitigate – which puts you in control of your business security.
Start reducing the risks in your SAP systems now with Protect4S.
For more information:
