SAP announces security vulnerability - are you protected?

14 October 2014

Brenton O'Callaghan

Brenton O'Callaghan

Global Head of SAP Innovation

Today SAP announced that there is a "critical vulnerability" in the cryptographic libraries that form part of its SAP NetWeaver ABAP and SAP HANA systems, leaving them vulnerable to spoofing of their digital signatures.

In real terms this means that another system, if it exploited this vulnerability correctly, could pose as your system or forge logon tickets to gain access to your system. Thankfully SAP has released an update to these libraries which fixes the issue in SAP Note 2067859.

On the plus side...

In an email to customers and partners today SAP informed us that the vulnerability was discovered by an "SAP Internal research" team. This is a good thing for a number of reasons:

Firstly, it means that SAP is researching how its own systems can be exploited - something we would all hope they are working on but it's nice to see the fruits of their labour. Penetration testing of enterprise systems as large as SAP can be difficult and quite a daunting task so knowing they are working on this is most definitely a bonus.

Secondly, it means that this is not an exploit that was spotted being actively used in the wild. Being discovered by researchers rather than malicious groups is, of course, a good thing. So we have time to react and fix the issue before it becomes a problem.

Finally, responsible disclosure. Normally this relates to third parties telling a company about a problem with their product, but it also applies to the way companies disclose the vulnerability to the wider community. In this case, a fix and a detailed email illustrating clearly what the problem was and for that I applaud SAP. That said I would love to know how much time passed between discovery and disclosure as that may change my mind on this being a good thing but let’s err on the side of the positive.

On the downside...

The obvious negative for this vulnerability is of course the nature of it. Essentially in the worst case scenario your system could be compromised to the point of a malicious third party gaining privileged access to the system. Not a pleasant thought and combined with the slow pace at which SAP patches are generally applied means that we may see this vulnerability present in SAP systems for years to come.

What should we do?

There is a lot we can and should do. For now here are two main points.

  1. Firstly, of course, is apply the latest version of SAP's crypto libraries to all existing ABAP and SAP HANA systems to make sure they are up to date
  2. All system certificates or PSE's should be replaced to create a new digital signature for your system. This may seem unnecessary but seeing as your system had the potential to be compromised then you have a responsibility to revoke all existing certificates and issue new ones.

SAP as an enterprise system is far from immune to zero-day vulnerabilities and you should have a plan on how to react to new ones as they emerge. Right now and for the next few years we are in the age of privacy and security so this will not be the last security worry your enterprise will face - so plan, be proactive with security reviews and ensure you are ready for the next issue.

Don't get caught out!


View comments


Blog post currently doesn't have any comments.

About the author

Brenton O'Callaghan

Global Head of SAP Innovation

Enterprise technology strategist and emerging technology evangelist

I'm a globally experienced SAP expert based in Ireland and I’m currently responsible for creating and bringing our SAP Innovation & Leonardo practice to market. My day job involves helping our customers to solve actual business problems in a rapid fashion using tools such as design thinking, SAP Leonardo and much more. I'm also responsible for exploring how emerging technologies and concepts can be applied within our customer base such as Machine Learning, Blockchain, DevOps and AI.
I've a background in computer science and have spent the last 9+ years in the SAP space across a wide range of industries across EMEA and North America. I'm a big believer that the best consultants have a mix of technical knowledge, industry experience and empathy and that is what I bring with my team to my customers. It's all about bringing about positive and relevant business change with the best possible technology.
Outside of work you can find me supporting the Irish Rugby team and the Boston Red Sox as well as my new found hobby - golf!


Bluefin and SAP S/4HANA - welcome to the one horse race

We use cookies to provide you with the best browsing experience. By continuing to use this site you agree to our use of cookies.