Onapsis discovered Vulnerability-related.DiscoverVulnerability several high risk vulnerabilities affecting Vulnerability-related.DiscoverVulnerability SAP HANA platforms . If exploited Vulnerability-related.DiscoverVulnerability , these vulnerabilities would allow an attacker , whether inside or outside the organization , to take full control of the SAP HANA platform remotely , without the need of a username and password . “ This level of access would allow an attacker to perform any action Attack.Databreach over the business information and processes supported by HANA , including creating , stealing Attack.Databreach , altering , and/or deleting sensitive information . If these vulnerabilities are exploited Vulnerability-related.DiscoverVulnerability , organizations may face severe business consequences , ” said Sebastian Bortnik , Head of Research , Onapsis . The vulnerabilities affect Vulnerability-related.DiscoverVulnerability a specific SAP HANA component named SAP HANA User Self Service , which is not enabled by default . The following list details the affected HANA 2 and HANA versions : “ We hope organizations will use this threat intelligence to assess their systems and confirm that they are not currently using this component , and therefore are not affected by these risks . Even if the service is not enabled , we still recommend that these organizations apply Vulnerability-related.PatchVulnerability the patches in case a change is made to the system in the future , ” continued Bortnik . Onapsis Research Labs originally discovered Vulnerability-related.DiscoverVulnerability the vulnerabilities on the newly released SAP HANA 2 platform , but after additional analysis realized that several older versions were vulnerable Vulnerability-related.DiscoverVulnerability as well . Based on this assessment , it was identified Vulnerability-related.DiscoverVulnerability that the vulnerabilities had been present Vulnerability-related.DiscoverVulnerability in HANA for almost two and a half years , when the User Self Service component was first released . This greatly increases the likelihood that these vulnerabilities have been discovered Vulnerability-related.DiscoverVulnerability by attackers to break into organization ’ s SAP systems . Onapsis worked closely with SAP ’ s Product Security & Engineering teams to help them develop Vulnerability-related.PatchVulnerability the security patches . SAP is releasing the first ever patch for SAP HANA 2 . In this case , default installations are affected and an attacker can elevate privileges if exploited

Several developments this week recentered the security spotlight on some of the enterprise 's most critical business systems as cybersecurity experts deal with the reality that enterprise resource planning ( ERP ) software needs heightened attention . On the vulnerability front , SAP this week patched Vulnerability-related.PatchVulnerability a new , highly critical vulnerability for SAP HANA with one of the highest severity ratings available . Meanwhile , a new survey report shows that security professionals are finally waking up to the fact that attackers are looking to leverage vulnerabilities like these , with indicated expectations of increased ERP attacks in the near future . SAP HANA is an in-memory data platform used by enterprises to crunch data from across their business software stacks . Organizations use it to perform advanced analytics that inform critical business processes and fuel innovative applications , and as such it contains some of the most sensitive data pertaining to customers , business processes and intellectual property . The major vulnerability was discovered Vulnerability-related.DiscoverVulnerability by ERP security firm Onapsis in SAP HANA 's User Self-Service component and scored a CVSS vulnerability rating of 9.8 , garnering a Hot News designation in this month 's SAP Security Notes . If exploited , it would allow full remote compromise without access to any credentials . `` This level of access would allow an attacker to perform any action Attack.Databreach over the business information and processes supported by HANA , including creating , stealing Attack.Databreach , altering , and/or deleting sensitive information , '' says Sebastian Bortnik , head of research for Onapsis . SAP patched Vulnerability-related.PatchVulnerability the problem in this month 's round of SAP Security Notes , which included 35 vulnerabilities across its portfolio . Among them there were eight vulnerabilities with a high priority rating . Last year , the threats posed Vulnerability-related.DiscoverVulnerability by these vulnerabilities tipped over from the theoretical realm to one of documented reality when US-CERT released a report that warned of at least 36 organizations worldwide impacted by attacks that leveraged a vulnerability in SAP 's Invoker Servlet functionality running on SAP Java platforms . This week , a new report from Crowd Research Partners found that 89 % of security experts anticipate more attacks against ERP systems . Approximately 1 in 3 experts expect a significant increase in these attacks . As things stand , most enterprises are still dreadfully unprepared for any attacks , let alone an increased volume of them . A report last year from Ponemon Institute showed that more than half of enterprises admit it would take their firm a year or longer to detect a breach in the SAP platform .