software business intelligence SAP

SAP Unveils On-Demand Business Intelligence Toolset

software business intelligence SAP

SAP, which acquired Business Objects in early 2008, already offers hosted versions of its business intelligence tools. But the new software is SAP’s first real multi-tenant, Software-as-a-Service business intelligence application, said James Thomas, vice president of product management for SAP business intelligence tools.

SAP BusinessObjects BI OnDemand ties together the vendor’s business intelligence software portfolio into a SaaS package using the BusinessObjects Explorer tool for searching and visualizing large data sets. Thomas said companies that deploy the service could expand the number of employees, particularly those in customer-facing jobs, who use business intelligence.

SAP BusinessObjects Enterprise BI
SAP BusinessObjects Enterprise BI

The new software provides opportunities for SAP channel partners as well. Solution providers can expand their sales to existing customers, as well as use the product to attract new customers — especially SMBs, said Anil Chitkara, senior vice president of market development at Oco, an SAP channel partner.

“The sweet spot for on-demand business intelligence is really in the midmarket and upper-midmarket,” he said. Oco will combine its pre-built industry and line-of-business analytic applications with SAP BusinessObjects BI OnDemand.

Chitkara called the new SAP software the first “enterprise-quality SaaS” product from a leading business intelligence vendor and said it provides channel partners more opportunities to develop value-added services. One example: Helping clients connect on-premise and cloud-based systems. “Customers have more power to integrate the data,” he said.

SAP is “really making VARs the primary sales channel for this product,” Thomas said, noting that all SAP PartnerEdge program members are eligible to sell the new on-demand product.

SAP BusinessObjects BI Platform
SAP BusinessObjects BI Platform

A free version of the on-demand software, with limited scalability, is available from SAP today, Thomas said. Later this quarter an Essential Edition that works with on-premise data will be available followed by an Advanced Edition that works with both on-premise and on-demand data.

SAP BusinessObjects BI platform can be accessed remotely

A critical authentication vulnerability allows hackers to remotely invade and completely abuse the SAP BusinessObjects Business Intelligence platform. The ERP and cloud giant has since fixed this issue along with 16 other vulnerabilities.

According to SAP’s monthly security release, this critical vulnerability allows hackers to compromise the SAP BusinessObjects BI suite remotely. For affected companies, this has a huge impact on their reliability, integrity and availability, according to SAP.

SAP Business One Business Intelligence and Analytics – ZAP BI
SAP Business One Business Intelligence and Analytics – ZAP BI

This is possible on the platform’s versions 430 and 440. More specifically, the critical vulnerability CVE-2024-41730 found involves a “missing authentication check” bug. When Single Sign On for Enterprise authentication is enabled within the SAP BusinessObjects BI platform, hackers can obtain a login token using a REST-based endpoint. Hackers can then fully penetrate and compromise the system.

Second critical vulnerability

In addition to this vulnerability, another critical flaw, CVE-2024-29415, has been found in SAP systems. This is a server-side request forgery flaw in SAO Build Apps older than version 4.11.130.

It involves a vulnerability in the IP package for Node.js, which checks whether a specific IP address is public or private. Because of the flaw, the IP address “127.0.0.1” is sometimes incorrectly recognized as a public and globally routable address.

Fourteen other vulnerabilities fixed

In addition to these two critical vulnerabilities, SAP also released fixes for quite a few others. These include vulnerabilities found in the SAP BEx Web Java Runtime Export Web Service, SAP S4/HANA, SAP NetWeaver AS Java, and SAP Commerce Cloud, among others.

The ERP and cloud giant calls on its solutions’ users to install the patches immediately.

Also read: SAP sees 33% increase in Cloud ERP revenue

SAP Releases Security Patch for 17 Vulnerabilities Including ‘Missing Authentication Check’ Bug

SAP has rolled out a critical security update addressing 17 vulnerabilities, including two high-severity flaws that could potentially lead to severe consequences for organizations. The most critical issue, CVE-2024-41730, could allow unauthorized access to SAP BusinessObjects Business Intelligence Platform systems.

Critical Authentication Bypass Vulnerability

(Photo : Vipul Jha from Unsplash) A new SAP security patch update was released this month to fix the flaw where remote attackers bypass authentication on the system: missing authentication check bug.

One of the most concerning issues resolved in this patch is the critical vulnerability tracked as CVE-2024-41730. This flaw, rated 9.8 on the CVSS v3.1 scale, is classified as a “missing authentication check” bug.

It impacts SAP BusinessObjects Business Intelligence Platform versions 430 and 440, and under specific conditions, it can be exploited by remote attackers.

If Single Sign-On (SSO) is enabled on Enterprise authentication, an unauthorized user could obtain a logon token using a REST endpoint, effectively bypassing authentication and gaining full access to the system. This vulnerability could potentially expose sensitive data and critical business operations to malicious actors.

Related Article: Almost 2.7 Billion Data Records From National Public Data Leaked in Hacking Forum

Server-Side Request Forgery in SAP Build Apps

According to Bleeping Computer, another critical issue addressed in this update is CVE-2024-29415, a server-side request forgery (SSRF) flaw found in SAP Build Apps versions older than 4.11.130. With a CVSS v3.1 score of 9.1, this vulnerability poses a significant threat to SAP applications.

The flaw arises from a weakness in the ‘IP’ package for Node.js, which incorrectly identifies the IP address ‘127.0.0.1’ as public and globally routable when expressed in octal notation. This incorrect classification can allow attackers to manipulate IP addresses, leading to unauthorized access and potential exploitation of the system.

This vulnerability is a result of an incomplete fix for a similar issue, CVE-2023-42282, which left some cases vulnerable to exploitation.

High-Severity Vulnerabilities in SAP Products

In addition to the critical vulnerabilities, SAP’s August 2024 security bulletin also addresses several high-severity issues, with CVSS v3.1 scores ranging from 7.4 to 8.2. These include:

CVE-2024-42374: An XML injection vulnerability in SAP BEx Web Java Runtime Export Web Service, affecting versions BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, and BIWEBAPP 7.5. CVE-2023-30533: A prototype pollution flaw in SAP S/4 HANA’s Manage Supply Protection module, impacting library versions of SheetJS CE below 0.19.3. CVE-2024-34688: A Denial of Service (DOS) vulnerability in SAP NetWeaver AS Java, specifically targeting the Meta Model Repository component version MMR_SERVER 7.5. CVE-2024-33003: An information disclosure issue in SAP Commerce Cloud, affecting versions HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, and COM_CLOUD 2211. The Importance of Timely Updates

Given SAP’s status as the world’s largest ERP vendor, with its products being used by over 90% of the Forbes Global 2000 companies, these vulnerabilities represent a significant security risk.

Hackers are continually searching for critical flaws that allow them to access corporate networks, and unpatched systems are prime targets. The urgency of applying these updates cannot be overstated.

In February 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a strong warning, urging administrators to patch severe vulnerabilities in SAP applications to prevent data breaches, ransomware attacks, and disruptions to vital business operations.

Between June 2020 and March 2021, threat actors exploited unpatched SAP systems in over 300 documented cases, infiltrating corporate networks and causing significant damage.

To protect against such threats, it is crucial for organizations to stay updated with SAP’s security patches and apply them promptly.

Read Also: Hackers Can Watch Your Screen Through This New Technique, Researchers Warn

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.

SAP Releases Security Patch for 17 Vulnerabilities Including ‘Missing Authentication Check’ Bug

SAP has rolled out a critical security update addressing 17 vulnerabilities, including two high-severity flaws that could potentially lead to severe consequences for organizations. The most critical issue, CVE-2024-41730, could allow unauthorized access to SAP BusinessObjects Business Intelligence Platform systems.

Critical Authentication Bypass Vulnerability

(Photo : Vipul Jha from Unsplash) A new SAP security patch update was released this month to fix the flaw where remote attackers bypass authentication on the system: missing authentication check bug.

One of the most concerning issues resolved in this patch is the critical vulnerability tracked as CVE-2024-41730. This flaw, rated 9.8 on the CVSS v3.1 scale, is classified as a “missing authentication check” bug.

It impacts SAP BusinessObjects Business Intelligence Platform versions 430 and 440, and under specific conditions, it can be exploited by remote attackers.

If Single Sign-On (SSO) is enabled on Enterprise authentication, an unauthorized user could obtain a logon token using a REST endpoint, effectively bypassing authentication and gaining full access to the system. This vulnerability could potentially expose sensitive data and critical business operations to malicious actors.

Related Article: Almost 2.7 Billion Data Records From National Public Data Leaked in Hacking Forum

Server-Side Request Forgery in SAP Build Apps

According to Bleeping Computer, another critical issue addressed in this update is CVE-2024-29415, a server-side request forgery (SSRF) flaw found in SAP Build Apps versions older than 4.11.130. With a CVSS v3.1 score of 9.1, this vulnerability poses a significant threat to SAP applications.

The flaw arises from a weakness in the ‘IP’ package for Node.js, which incorrectly identifies the IP address ‘127.0.0.1’ as public and globally routable when expressed in octal notation. This incorrect classification can allow attackers to manipulate IP addresses, leading to unauthorized access and potential exploitation of the system.

This vulnerability is a result of an incomplete fix for a similar issue, CVE-2023-42282, which left some cases vulnerable to exploitation.

High-Severity Vulnerabilities in SAP Products

In addition to the critical vulnerabilities, SAP’s August 2024 security bulletin also addresses several high-severity issues, with CVSS v3.1 scores ranging from 7.4 to 8.2. These include:

CVE-2024-42374: An XML injection vulnerability in SAP BEx Web Java Runtime Export Web Service, affecting versions BI-BASE-E 7.5, BI-BASE-B 7.5, BI-IBC 7.5, BI-BASE-S 7.5, and BIWEBAPP 7.5. CVE-2023-30533: A prototype pollution flaw in SAP S/4 HANA’s Manage Supply Protection module, impacting library versions of SheetJS CE below 0.19.3. CVE-2024-34688: A Denial of Service (DOS) vulnerability in SAP NetWeaver AS Java, specifically targeting the Meta Model Repository component version MMR_SERVER 7.5. CVE-2024-33003: An information disclosure issue in SAP Commerce Cloud, affecting versions HY_COM 1808, 1811, 1905, 2005, 2105, 2011, 2205, and COM_CLOUD 2211. The Importance of Timely Updates

Given SAP’s status as the world’s largest ERP vendor, with its products being used by over 90% of the Forbes Global 2000 companies, these vulnerabilities represent a significant security risk.

Hackers are continually searching for critical flaws that allow them to access corporate networks, and unpatched systems are prime targets. The urgency of applying these updates cannot be overstated.

In February 2022, the US Cybersecurity and Infrastructure Security Agency (CISA) issued a strong warning, urging administrators to patch severe vulnerabilities in SAP applications to prevent data breaches, ransomware attacks, and disruptions to vital business operations.

Between June 2020 and March 2021, threat actors exploited unpatched SAP systems in over 300 documented cases, infiltrating corporate networks and causing significant damage.

To protect against such threats, it is crucial for organizations to stay updated with SAP’s security patches and apply them promptly.

Read Also: Hackers Can Watch Your Screen Through This New Technique, Researchers Warn

ⓒ 2024 TECHTIMES.com All rights reserved. Do not reproduce without permission.

SAP BusinessObjects BI platform can be accessed remotely

A critical authentication vulnerability allows hackers to remotely invade and completely abuse the SAP BusinessObjects Business Intelligence platform. The ERP and cloud giant has since fixed this issue along with 16 other vulnerabilities.

According to SAP’s monthly security release, this critical vulnerability allows hackers to compromise the SAP BusinessObjects BI suite remotely. For affected companies, this has a huge impact on their reliability, integrity and availability, according to SAP.

This is possible on the platform’s versions 430 and 440. More specifically, the critical vulnerability CVE-2024-41730 found involves a “missing authentication check” bug. When Single Sign On for Enterprise authentication is enabled within the SAP BusinessObjects BI platform, hackers can obtain a login token using a REST-based endpoint. Hackers can then fully penetrate and compromise the system.

Second critical vulnerability

In addition to this vulnerability, another critical flaw, CVE-2024-29415, has been found in SAP systems. This is a server-side request forgery flaw in SAO Build Apps older than version 4.11.130.

It involves a vulnerability in the IP package for Node.js, which checks whether a specific IP address is public or private. Because of the flaw, the IP address “127.0.0.1” is sometimes incorrectly recognized as a public and globally routable address.

Fourteen other vulnerabilities fixed

In addition to these two critical vulnerabilities, SAP also released fixes for quite a few others. These include vulnerabilities found in the SAP BEx Web Java Runtime Export Web Service, SAP S4/HANA, SAP NetWeaver AS Java, and SAP Commerce Cloud, among others.

The ERP and cloud giant calls on its solutions’ users to install the patches immediately.

Also read: SAP sees 33% increase in Cloud ERP revenue

SAP BusinessObjects BI platform can be accessed remotely

A critical authentication vulnerability allows hackers to remotely invade and completely abuse the SAP BusinessObjects Business Intelligence platform. The ERP and cloud giant has since fixed this issue along with 16 other vulnerabilities.

According to SAP’s monthly security release, this critical vulnerability allows hackers to compromise the SAP BusinessObjects BI suite remotely. For affected companies, this has a huge impact on their reliability, integrity and availability, according to SAP.

This is possible on the platform’s versions 430 and 440. More specifically, the critical vulnerability CVE-2024-41730 found involves a “missing authentication check” bug. When Single Sign On for Enterprise authentication is enabled within the SAP BusinessObjects BI platform, hackers can obtain a login token using a REST-based endpoint. Hackers can then fully penetrate and compromise the system.

Second critical vulnerability

In addition to this vulnerability, another critical flaw, CVE-2024-29415, has been found in SAP systems. This is a server-side request forgery flaw in SAO Build Apps older than version 4.11.130.

It involves a vulnerability in the IP package for Node.js, which checks whether a specific IP address is public or private. Because of the flaw, the IP address “127.0.0.1” is sometimes incorrectly recognized as a public and globally routable address.

Fourteen other vulnerabilities fixed

In addition to these two critical vulnerabilities, SAP also released fixes for quite a few others. These include vulnerabilities found in the SAP BEx Web Java Runtime Export Web Service, SAP S4/HANA, SAP NetWeaver AS Java, and SAP Commerce Cloud, among others.

The ERP and cloud giant calls on its solutions’ users to install the patches immediately.

Also read: SAP sees 33% increase in Cloud ERP revenue

SAP BusinessObjects BI platform can be accessed remotely

A critical authentication vulnerability allows hackers to remotely invade and completely abuse the SAP BusinessObjects Business Intelligence platform. The ERP and cloud giant has since fixed this issue along with 16 other vulnerabilities.

According to SAP’s monthly security release, this critical vulnerability allows hackers to compromise the SAP BusinessObjects BI suite remotely. For affected companies, this has a huge impact on their reliability, integrity and availability, according to SAP.

This is possible on the platform’s versions 430 and 440. More specifically, the critical vulnerability CVE-2024-41730 found involves a “missing authentication check” bug. When Single Sign On for Enterprise authentication is enabled within the SAP BusinessObjects BI platform, hackers can obtain a login token using a REST-based endpoint. Hackers can then fully penetrate and compromise the system.

Second critical vulnerability

In addition to this vulnerability, another critical flaw, CVE-2024-29415, has been found in SAP systems. This is a server-side request forgery flaw in SAO Build Apps older than version 4.11.130.

It involves a vulnerability in the IP package for Node.js, which checks whether a specific IP address is public or private. Because of the flaw, the IP address “127.0.0.1” is sometimes incorrectly recognized as a public and globally routable address.

Fourteen other vulnerabilities fixed

In addition to these two critical vulnerabilities, SAP also released fixes for quite a few others. These include vulnerabilities found in the SAP BEx Web Java Runtime Export Web Service, SAP S4/HANA, SAP NetWeaver AS Java, and SAP Commerce Cloud, among others.

The ERP and cloud giant calls on its solutions’ users to install the patches immediately.

Also read: SAP sees 33% increase in Cloud ERP revenue

SAP patches critical bugs allowing full system compromise

Of the two critical vulnerabilities addressed in the patch day, the more severe is an authentication bypass flaw (CVE-2024-41730) with a CVSS score of 9.8/10 affecting SAP’s BusinessObjects business intelligence platform, while the other is a server-side request forgery (SSRF) vulnerability in applications built with SAP Build Apps.

CVE-2024-41730, as described by SAP, stems from a missing authentication check in the SAP BusinessObjects business intelligence platform. “In SAP BusinessObjects Business Intelligence Platform, if Single Signed On is enabled on Enterprise authentication, an unauthorized user can get a logon token using a REST endpoint,” the ERP vendor said in a security advisory.

The attacker can fully compromise the system resulting in a high impact on confidentiality, integrity, and availability, SAP added.

Leave a Comment