
Critical SAP Bug Allows Full Enterprise System Takeover - LinuxBender
https://threatpost.com/critical-sap-bug-enterprise-system-takeover/157392/
======
janwillemb
Article has a lot of words. Summary:

A vulnerability in SAP Netweaver Java allows an unauthenticated attacker to
create a new SAP user with maximum privileges, bypassing all access and
authorization controls

------
kfarr
I feel like there's a joke somewhere in this, SAP takes over your whole
enterprise if you let it?

------
bt1a
Good luck updating that pile of dinosaur bones!

------
yabones
More info from the CISA bulletin: [https://us-
cert.cisa.gov/ncas/alerts/aa20-195a](https://us-
cert.cisa.gov/ncas/alerts/aa20-195a)

Also some on the SAP wiki:
[https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=5...](https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675)

Unfortunately, most of it appears to be locked behind a sign-in.

~~~
tourist_on_road
The irony

------
igetspam
SAP is garbage at security. I worked there for a month, after a acquisition.
In that time, I was given access to a system to control a cloud fleet, as a
demo. That was five years ago. I contacted them half a dozen times and told
them I still had access. I've reached out to multiple personal contacts, who
brought it up with IT and security. I check every few months. I can still nuke
or hijack that cloud today.

------
agustif
Nobody will get fired for buying IBM...

------
zurfer
recently there was a list on HN that estimated prices for exploits. I wonder
how much this exploit would cost?

~~~
A_No_Name_Mouse
$25k-$50k now that a patch is available, according to
[https://vuldb.com/?id.157874](https://vuldb.com/?id.157874)

~~~
FDSGSG
vuldb numbers are bullshit though

