SAP “patched” bug still has holes

bugThe expensive esoteric management software company which no-one is really sure what it does, SAP, is the subject of a US security alert over a vulnerability the firm disabled six years ago.

Apparently the hole still gives outside attackers remote control over older SAP systems if the software is not properly patched.

SAP fixed the problem, but left the decision over whether to switch off an easy access setting up to its customers.

The U.S. Department of Homeland Security’s Computer Emergency Response Team (US-CERT) issued an alert to the security industry warning SAP customers what they need to do to plug the holes.

Onapsis, a firm that specialises in securing business applications from SAP and  Oracle said that dozens of companies have been exposed to these security gaps in recent years, and a far larger number of SAP customers remain vulnerable.

Onapsis chief executive Mariano Nunez said that most SAP customers are unaware that this is going on.

SAP, whose software acts as the corporate plumbing for many multinationals and which claims 87 percent of the top 2000 global companies as customers, disclosed the vulnerability in 2010 and has offered software patches to fix the flaw.

SAP issued a statement that the vulnerable feature was fixed when the company introduced the software update six years ago. All SAP applications released since then are free of this vulnerability.

However, SAP acknowledged that these changes were known to break customised software developments that many customers had implemented using older versions of SAP’s programming language.

The problem continues because a sizeable number of big SAP customers are known to depend on these older versions of the software that in many cases date back years, or in extreme examples, even decades.