The holes had a high risk of giving hackers control over databases and business applications used to run big multinational firms.
Vulnerabilities in big business software are more lucrative to attackers as these tools store data and run transactions. The flaws were “zero day” vulnerabilities and were the most critical ever found in HANA. For those who came in late, HANA runs SAP’s latest database, cloud and other more traditional business apps.
The holes were spotted by the insecurity outfit Onapsis which said that the vulnerabilities lay in a HANA component known as “User Self Service” (USS) which would allow malicious insiders or remote attackers to fully compromise vulnerable systems, without so much as valid usernames and passwords.
It reported 10 HANA vulnerabilities to SAP less than 60 days ago, which the German software maker fixed in near-record time.
The resulting patch issued by SAP on Tuesday was rated by it as 9.8 on a scale of 10, “very high” in terms of relative risk to its customers. SAP is releasing five HANA patches this week to fix a range of vulnerabilities uncovered in recent months.
Onapsis Chief Executive Mariano Nunez praised SAP for doing such a great job by releasing fixes much faster than in past situations.