Critical Vulnerabilities in SAP Application Server


Details of new critical vulnerabilities in SAP application server were published by ERPScan researchers. Exploiting these an attacker can cause remote denial of service attack, for example to create a sabotage of a rival company. Every attacker can execute these attacks by sending a malicious request to any SAP server located on the Internet or on the corporate subnet. One attack can be performed without the authentication and the realization of another demands working credentials but an attacker can use well-known default passwords.

he vulnerabilities are very critical due to the fact that any Internet user can find SAP servers using simple Google hacking techniques and remotely disable any SAP server. It can pose significant business risks and financial losses for a company operating on the Internet with clients using SAP Software. Users should upgrade these systems as soon as possible using recommendations from SAP Security Notes 1484097 and 1469549

— commented Alexander Polyakov, the Head of ERPScan.

Technical details of publications are accessible in ERPScan Advisories:

[ERPSCAN-10-006] SAP Netweaver MMR — Denail of Service
[ERPSCAN-10-005] SAP Netweaver XRFC — Stack Overflow
[ERPSCAN-09-056] SAP Netweaver SQL Monitors — Multiple XSS

Do you want more?

Subscribe me to your mailing list