Security Issues in SAP’s Cloud-Based Products

On Monday, May the 4th, SAP announced that it is fixing several security problems found in its cloud products.

The German company identified the issues when running an internal audit. Again, it has already begun eliminating all discovered vulnerabilities.

Security fixes are on their way

Information about the nature of security problems has not been made public. In this post published on May the 5th, SAP representative says that fixing the issues: “Will largely be completed in the second quarter 2020.” Let’s hope this time frame is OK as again, it is not clear what is the nature of the vulnerabilities and how fast hackers may find and exploit them as threat trends and landscape is changing rapidly.

Impacted products include:

  • SAP Concur
  • SAP Success Factors
  • SAP/CallidusCloud Commissions
  • SAP/Callidus Cloud CPQ
  • SAP C4C/Sales Cloud
  • SAP Cloud Platform
  • SAP Analytics Cloud.

Actually, this list is very impressive, plenty of businesses use these tools. Some of the products and the corresponding infrastructure were bought over the years, and SAP paid enormous sums for them, billions of dollars.

Acquiring new platforms, SAP inherited potential vulnerabilities and bugs. Now it has to align them to the present IT security standards.

SAP customers will be contacted

It is projected that about 9% of SAP 440,000 clients are affected by these vulnerabilities. All of them are going to be informed of the potential risk. Sap will assist to solve all corresponding problems.

SAP’s internal review is not over yet. At the same time, the company does not think that client data has been breached as a result of the above-mentioned vulnerabilities.

The advisory says: “In an effort to ensure that the affected products meet relevant terms and conditions and in addition to technical remediation, SAP has decided to update its security-related terms and conditions. These remain in line with market peers.”

Current security updates are not anticipated to influence the company’s finances in 2020.


About the author:

My name is David Balaban. I am a computer security researcher with over 17 years of experience in malware analysis antivirus software. I run and SAP community needs and wants great content on topics I am good at like infosec, IoT, blockchain. I wish to share my knowledge and experience here and connect with people who I might never have had any contact with otherwise.