Onapsis and US-CERT warned about attacks against 36 companies; however, another security firm begs to differ

May 13, 2016 16:50 GMT  ·  By

The impact of a five-year-old, recently resurfaced security issue affecting SAP customers has been greatly underestimated, says a team of researchers who revealed that the number of affected companies is actually fifteen times larger.

At the start of the month, security firm Onapsis published a report and revealed attacks against 36 companies that failed to install an SAP security patch issued in 2010.

Security issue allows complete takeover over SAP platforms

The company's report was worrisome because the flaw that attackers exploited allowed them to gain complete control of SAP business platforms via a bug in Invoker Servlet, one of the many components of SAP's NetWeaver Application Server Java systems (SAP Java platforms).

The US-CERT (Computer Emergency Response Team), a division of the US Department of Homeland Security, took notice of the huge security issue, and two days ago, they issued a public alert to all US companies.

US-CERT and Onapsis recommended that affected companies apply the patch or disable the Invoker Servlet component altogether.

500+, not 36, says ERPScan founder

Things changed yesterday, when ERPScan, a security vendor known for its expertise in Java enterprise platforms and monthly contributions to Oracle and SAP security patches, also issued a report on this topic.

ERPScan's founder, Alexander Polyakov, revealed that they detected at least 533 companies vulnerable to these issues.

"Those services can have unique names so that it’s not possible to get the final figure (approximately 500+ systems). Taking into account that most of them belong to Fortune 2000 companies, it’s quite critical issue to discuss," Polyakov said.

ERPScan's founder also revealed that one of the reasons so many companies skipped SAP's patch may have been the cumbersome process of installing and testing the fix.

A company's employee would have had to see if an invoker servlet was enabled by default, then disable it, and then reboot the entire server to double-check. This is much more complicated than running a command-line update operation and moving on with your day.

Location of companies attacked using the SAP 2010 issue
Location of companies attacked using the SAP 2010 issue

Photo Gallery (2 Images)

SAP 2010 vulnerability affects more companies than expected
Location of companies attacked using the SAP 2010 issue
Open gallery