back to article 36 idiots running SAP under attack after flubbing 2010 patch

The United States Computer Emergency Readiness Team has taken the unusual step of enumerating just how many organisations have a particular problem, by calling out “36 organizations worldwide are affected by an SAP vulnerability … that was patched by SAP in 2010.” You read that right: 2010. US-CERT is relaying research …

  1. Voland's right hand Silver badge

    Both chores sound like child's play for an SAP shop.

    You mean like the local water utility which had its SAP system installed by a bunch of drive-by-outsourcers under management conslutting directions a decade ago?

    That... is an interesting idea... Popcorn...

    1. Huns n Hoses

      Re: Both chores sound like child's play for an SAP shop.

      "Conslutting". Awesome, thanks I'm writing that down.

  2. Rob Moss

    No, not really child's play

    Applying a patch in the SAP world isn't really like applying a Windows Update. Everything has to be regression tested on a copy of the system with the patch applied. Then a downtime window has to be identified, and patching these things isn't necessarily quick. The more SAP products you use, the further your system landscape will spread. There are development, QA and production servers (potentially, plus others) for each major component you're using.

    Of course, I'm not excusing the failure to apply the fix for the security flaw. But "child's play" is the wrong way to describe it. There will be a 6 month project plan that goes around the application of a set of patches. Quite often, it's one of the things that gets left by the wayside just because it's so complicated. Additionally, because SAP's Maintenance Optimizer feature in SAP Solution Manager is currently broken (see SAP Note 2305937, https://service.sap.com/sap/support/notes/2305937 - SMP login required) it's currently very difficult to apply the patch in a way most SAP sysadmins are used to, requiring them to familiarise themselves with SAP Maintenance Planner, a horrible HTML5 thing that's got about half the functionality of the Maintenance Planner which leaves it difficult to keep systems in sync.

    If any of these companies want a hand applying the patch, I can certainly help.

    1. AMBxx Silver badge
      Joke

      Re: No, not really child's play

      Come on - the guy who wrote the article keeps his own PC and laptop updated without all this palaver.

      He even runs his own wifi network.

      1. ssharwood

        Re: No, not really child's play

        They've had five years to get this done. Five years. Yes, I understand that patching business applications is rather more complex than the stuff I do with tech. But five years ....

    2. Steve Crook

      Re: No, not really child's play

      It's a choice, isn't it.

      Either the enterprise decides to 'go down' for a time to get everything patched and up-to-date and risks pissing off customers when it all goes tits up, or it takes the risk of a security breach. No brainer, you take the risk of a breach because the financial hurt from a badly applied update (and the cost of updating) far outweighs the one from a security break, if it ever happens. I say this after hearing Dido Harding on the radio this a.m. gushing about TT's last quarter and how the business is bouncing back...

      I don't see this changing any time soon. Probably until companies are forced to disclose *how* they were breached and, after that, the first successful class action suit from people who's data was stolen via an exploit that should have been patched years back.

      Not holding my breath mind you...

    3. Dan 55 Silver badge

      Re: No, not really child's play

      Can somebody tell me why SAP is popular, apart from it being reassuringly expensive?

      1. Rob Moss

        Re: No, not really child's play

        Used correctly, it's magnificent, especially in larger companies. If you're a major supermarket, having a programme which complies with all known EDI standards for electronic tender agreements probably saves you the upfront and maintenance cost of SAP in year one. Sure, there are competitors, but there are reasons why SAP is reassuringly expensive - it's because you can get rid of 90% of your staff if you use it "properly".

        Of course, few companies ever get that far.

  3. Anonymous Coward
    Anonymous Coward

    If you've chosen SAP...

    ...then you have no sympathy from me.

    However, if you're forced to use it, then you do.

    1. Anonymous Coward
      Anonymous Coward

      Re: If you've chosen SAP...

      Choose no life. Choose sysadminning. Choose no career. Choose no family. Choose a fucking big computer, choose hard disks the size of washing machines, old cars, CD ROM writers and electrical coffee makers. Choose no sleep, high caffeine and mental insurance. Choose fixed interest car loans. Choose a rented shoebox. Choose no friends. Choose black jeans and matching combat boots. Choose a swivel chair for your office in a range of fucking fabrics. Choose NNTP and wondering why the fuck you're logged on on a Sunday morning. Choose sitting in that chair looking at mind-numbing, spirit-crushing web sites, stuffing fucking junk food into your mouth. Choose rotting away at the end of it all, pishing your last on some miserable newsgroup, nothing more than an embarrassment the selfish, fucked up lusers Gates spawned to replace the computer-literate.

      Choose your future. Choose sysadmining

      Alternatively, chose a RangeRover, a house in the banker quarter in St Albans and a 1000£ suit and pretend to be an ERP software consultant.

      1. Dadmin
        FAIL

        Re: If you've chosen SAP...

        HA! Words from the "failed sysadmin." Nice!

        Solaris paid for my house. Linux bought me a drop-top Audi. You mileage has varied. Reset yourself and try again. Try Starbucks Barista... it's probably more your level of work.

        1. Anonymous Coward
          Anonymous Coward

          Re: If you've chosen SAP...

          Linux bought me a drop-top Audi.

          Windows would have bought you a Ferrari.

  4. LaunchpadBS
    Facepalm

    Yet another successful SAP implementation

    :FACEPALM:

    1. xchknfrmr

      Re: Yet another successful SAP implementation

      "Successful SAP implementation" is an oxymoron.

  5. herman Silver badge

    It is not that bad - these 36 could have used Oracle.

  6. JeffyPoooh
    Pint

    "...idiots..." & "...running SAP..."

    The word "idiots" is redundant. It's inherent in "...running SAP...".

  7. Anonymous Coward
    Anonymous Coward

    Should have used Cloud

    SAP software solutions as a service, or SSSAAS for short.

  8. Anonymous Coward
    Anonymous Coward

    Honeypots?

    Which or all are being used as honeypots to track the baddies?

  9. The March Hare
    FAIL

    Patching Policy

    Given that these companies have had 6 years to patch their SAP estate and failed - what else have they not patched?

    Can't believe they said "Oh, SAP is too hard - but we did everything else!"

  10. Duffaboy
    Trollface

    emperor's new clothes

    Another Hip program or O/S which most likely won't be around in the near future.

    Novell Netware

    O/S 2

    Lotus Notes

    etc...

    1. CrazyOldCatMan Silver badge

      Re: emperor's new clothes

      > O/S 2

      OS/2 was *never* 'hip' (or froody). It was, however, reassuringly solid in a distictly unassuming way.

      I liked OS/2. Used it at work then at home.

    2. Gene Cash Silver badge

      Re: emperor's new clothes

      I see you've never actually used OS/2, which was quite the battleship.

      Novell Netware, OTOH, had such bad security holes, I found 3 "gets ya supervisor" during a weekend look through their API docs. Stuff was designed with holes in it.

      EDIT: and I'll never forget when Drew Major came to our uni and syscon kept flashing "PLEASE WAIT" while pulling up the user list.

      "How many users you have?"

      "Oh about 3500 on this server"

      "Whups, I put a bubble sort in there, that's why it's so low. Never expected that many"

      Our Data Structures & Order Analysis instructor was there. The *look* on his face...

  11. EJ

    Having done battle with patching in an enterprise environment for years, it's very understandable why this would have been missed. My security team is always ready to demand patching ASAP, but the admins and customer support are always on about "up time", "reliability & availability", "regression testing", and other non-sensical terms. Enough with the hand wringing... Just patch the damn stuff and let God sort it out, I tell them.

  12. Dadmin
    Go

    No worries, they will ALL be learning how to patch their shit soon enough. No need to list who they are, finding them is now trivial; they are outward facing web-craps with known ports. They are being scanned while I'm typing this. Now, for these brain-trust sites, finding they are compromised is another kettle of fish entirely. They might not find out for some years, or six, or more. You are absolutely correct in saying that uptime trounces security, when the morons making the (bad) decisions are not yet hacked. Give the security community time, these idiots will be found, hacked, and hung out to dry in some dark Internet back-alley. And I say; go hackers, go! This is the ONLY way to teach them "the lesson." The ONLY way.

    They have been advised, they have been warned. Now, it's time to break-in and say Hello, World!

  13. Anonymous Coward
    Anonymous Coward

    Enumerating is nice.

    Why not name them so someone at the affected companies can bring some pressure to bear on their IT Staff?

    1. Mark 85 Silver badge

      Why not name them so someone at the affected companies can bring some pressure to bear on their IT Staff?

      Double-edged sword obviously. It also gives the bad guys a heads-up on who's left the backdoor unlocked. They can probably exploit it faster than the company can patch.

      I would hope that the companies were at least notified...

  14. a_yank_lurker Silver badge

    6 Years?

    I can understand some delay between patch release and updating of a few weeks or a couple of months but 6 years. That is inexcusable.

    1. Rob Moss

      Re: 6 Years?

      Patch a SAP system for a customer and avoid getting sued and make a profit and then come back and tell me 6 years is inexcusable.

      The first thing you need when patching SAP is to be brave.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

Biting the hand that feeds IT © 1998–2022