Slashdot Mirror

← Back to Stories (view on slashdot.org)

Scores of Vulnerable SAP Deployments Uncovered

Posted by Unknown on from the double-your-paycheck dept.

mask.of.sanity writes "Hundreds of organizations have been detected running dangerously vulnerable versions of SAP that were more than seven years old and thousands more have placed their critical data at risk by exposing SAP applications to the public Internet. The new research found the SAP services were inadvertently made accessible thanks to a common misconception that SAP systems were not publicly-facing and remotely-accessible. The SAP services contained dangerous vulnerabilities which were since patched by the vendor but had not been applied."

11 of 118 comments (clear)

  1. I can explain by slashmydots · · Score: 5, Insightful

    As head IT manager, I can definitely explain this. The company approves a software suite that's seemingly "perfect" for 150% the anticipated budget. They really couldn't afford it in the first place so they already cut the support and upgrade path subscription. Then they never approve the absurdly high renewal/upgrade cost the next year and the next year and the next year and tada, you've got an outdated, insecure piece of crap.
    When you buy a software suite, make sure you have the money to support it in the long term! It's all about the TCO!

    1. Re:I can explain by Scutter · · Score: 4, Insightful

      When it's all overhead, maintenance fees are a very attractive number for the budget-cut knife.

      --

      "Tell me doctor, with all of your defenses, are there any provisions for an attack by killer bees?"
    2. Re:I can explain by sjwt · · Score: 4, Interesting

      I can also explain, having gone through a SAP implementation 2 years ago, we were still plagued with bugs that had fixes issued over 4 years ago..

      Seems they somehow didn't install fully patched updated modules, and with a yearly renewal.upgrade cost it all makes sense now.

      --
      You have 5 Moderator Points!
      Which Helpless Linux zealot/MS basher do you want to mod down today?
    3. Re:I can explain by Flere+Imsaho · · Score: 5, Funny

      SAP - Send Another Payment, or, Sucks All Profit

      --
      It gripped her hand gently. 'Regret is for humans,' it said.
    4. Re:I can explain by Anonymous Coward · · Score: 5, Funny

      Chuckle. I used to work at a place that gave all their database stuff to a SAP outside vendor, all their letters and form documents.

      One of the people who did interviewing later wanted one of his standard letters -- emailed as a PDF routinely -- to have yellow hilighting applied to an important sentence. He asked the vendor to make that change.

      The vendor came back with a proposed work order for six hours of programmer time at $200/hour to make that change.

      (My coworker printed that page, got a hilighter, hilighted the text, scanned it, and emailed that image thereafter.)

  2. Color me surprised... by Anonymous Coward · · Score: 4, Funny

    I once heard SAP described as "The Germany's way of getting back at us for winning the war." I've spent my fair share of time beating SAP abomination into submission. I'll be glad if this makes organizations think twice before allowing this atrocity to sink its teeth into their business processes.

    1. Re:Color me surprised... by cusco · · Score: 4, Insightful

      If you ever have to deal with their software you'll eventually realize that they don't understand it either.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  3. No problem. .. by jd2112 · · Score: 4, Insightful

    Nothing that a multi-year multi-million dollar project doomed to run obscenely over budget and schedule can't fix.

    --
    Any insufficiently advanced magic is indistinguishable from technology.
  4. So.... by wbr1 · · Score: 4, Funny
    Their IT departments are full of saps?

    ba-dum-dam

    Thanks, I'll be here all night.

    --
    Silence is a state of mime.
  5. How do you explain by Anonymous Coward · · Score: 4, Insightful

    And how do you, as head IT manager, explain why they are public facing? This is the sort of ineptitude that I expect from people running Linksys routers for firewalls and Mom & Pop shops. I expect more from the head IT manager at a company that spent a quarter of a million dollars on ERP licensing alone. It's one thing to claim training and upgrade budget cuts, but it's another thing entirely to open your firewall to insecure services.

    The problem described in the article is far from a new issue. But, it is a problem that should not be occurring at the level of these enterprises.

  6. Re:Law should require transparency by cusco · · Score: 4, Informative

    Or my particular headache, you run a 24x7x365 enterprise app distributed across 18 different countries on every continent but Antarctica. We're two years behind on updates because we can't take the system down for an hour.

    --
    "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin