back to article SAP fixes gaping authentication bypass flaw after 3 YEARS

A critical SAP vulnerability stayed unpatched for three years prior to its resolution this week, according to application security specialists. SAP monthly security updates issued on Tuesday addressed a total of 48 vulnerabilities, among them an authentication bypass vulnerability in a service called P4. The service provides …

  1. asdf

    wow

    SAP is now basically mission critical to our way of life (ok not you country boy can survive in your bunker). The next big war won't just be on CNN (if you can even get it what with our decrepit power infrastructure and security as an afterthought SCADA begging to be taken out) with the homeland safe.

  2. Roo
    Windows

    Take all their money and their source code.

    I distinctly recall being told that Open Source (that worked vs vendor stuff that didn't) was not an option because there was no vendor to sue or coerce into fixing the code. Presumably we'll see SAP litigated to death and the source code distributed to the customers in lieu of working product... Naaaaaaaaaaaaah.

  3. Wedgie

    A fair bit of hyperbole here. The authentication bug was for an information service & the info that can be gained isn't particularly useful, certainly not a critical prior and not classified by SAP as such.

    With regard to giving code to customers - in general it is (with a few exceptions). While it's not open source, it is available to anyone with an SAP system - a lot of customers & partners.

    1. Trixr

      “Scanning conducted by our researchers revealed that there are at least 256 vulnerable services accessible online,”

      So who is correct? You, or the researchers?

      1. Wedgie

        I'm not disputing that there are 256-odd systems discoverable with that service.

        It has been a slow news month for SAP with regard to reporting security bugs and for the article (not the vendor) to say it is critical is simply not the case. It relates to information disclosure which at worst, could be used to support an attack to be crafted.

    2. Roo
      Windows

      "The authentication bug was for an information service & the info that can be gained isn't particularly useful, certainly not a critical prior and not classified by SAP as such."

      1) The flaw was *re-introduced* which tells you that SAP are failing to use regression tests to verify that vulns stay fixed. This is a basic process problem that is *likely* to afflict every release of every product they produce.

      2) Authentication bypasses give an attacker a platform to launch further attacks within a "trusted" domain, this is not a good thing.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021