SAP disclosed two vulnerabilities in SAP NetWeaver Application Server JAVA (AS JAVA), including a critical flaw reported by the security firm Onapsis that could impact up to 40,000 enterprises. SAP NetWeaver is considered the “central foundation for the entire SAP software stack” and allows access to SAP data over Hypertext Transfer Protocol (HTTP). The critical vulnerability, dubbed “RECON” (Remotely Exploitable Code on NetWeaver), would give cybercriminals free rein over mission-critical applications, including Supply Chain Management (SCM) and Enterprise Resource Planning (ERP).
Please find below a comment from Bob Huber, CSO, Tenable who says that this isn’t purely a technical issue. Potential regulatory issues also come into play and the data compromised in an attack could have downstream effects.
“The SAP NetWeaver vulnerability, dubbed “RECON” (Remotely Exploitable Code on NetWeaver), could impact over 40,000 enterprises globally and would give adversaries free rein over mission-critical applications, including Supply Chain Management (SCM) and Enterprise Resource Planning (ERP).
This is not purely a technical or IT issue. There are potential regulatory consequences – such as the Sarbanes-Oxley Act (SOX) and General Data Protection Regulation (GDPR) violations – and the data compromised in an attack could have downstream effects. This vulnerability would give cybercriminals access to highly sensitive and private data, with potential economic, physical and social consequences. This includes theft of IP and trade secrets, releasing fraudulent payments and modifying financial records.
Bob Huber, CSO at Tenable said, Organisations should expect cybercriminals to quickly follow this money trail. This is not a matter of if, but when in-the-wild exploitation will begin. It’s critically important that organizations everywhere patch their systems immediately.
Here is a link to the full analysis of the vulnerabilities by Tenable.
