BI and big exploit headlines
It seems like every time I open up my RSS feed lately, I’m greeted with a large number of blog posts on yet another exploit being discovered. Off the top of my head, the big ones that come to mind are Heartbleed, POODLE, FREAK – I could go on but I’m sure you’re all too aware of these.
When these vulnerabilities are announced, my team will get a number of customers raising incidents with questions related to these types of vulnerabilities and the impact on their SAP BusinessObjects BI system.
These types of incidents are usually quite different than vulnerabilities identified as a result of a formal penetration test or a security scan. I will go over the process on how to effectively raise an issue with SAP Support to deal with any vulnerabilities you may have uncovered in a future blog. For now I would like to draw attention to the following Knowledge Base Articles (KBAs)* that have been the most popular in 2014 and 2015 so far (in no particular order):
POODLE
- 2128924 – How to overcome POODLE vulnerability (CVE-2014-3566) detected in SAP BI 4.1 using Tomcat.
- 2083444 – Impact of the POODLE (CVE-2014-3566) vulnerability on SAP BusinessObjects software
- 2117322 – SAP BusinessObjects WACS is vulnerable to POODLE (CVE-2014-3566)
HeartBleed & OpenSSL
- 2042662 – The impact of an OpenSSL vulnerability (CVE-2014-0224 ) on SAP BusinessObjects XI 3.1 and Business Intelligence 4.0/4.1
- 2003582 – The impact of Heartbleed (CVE-2014-0160) on SAP BusinessObjects Xi3.1 and Business Intelligence products 4/4.1
VGX.DLL
Other
- 2152785 – Default CMS port shared by Trojan virus
- 2135951 – Unrestricted File Upload vulnerability (CVE-2013-4444) and the impact on BI 4.1
I’d love to hear from you! My aim is to bring clarity and transparency around security issues and how they impact the BI platform. If you have any suggestions on what kind of content you’d like to see or questions on this topic, please leave a comment below or send me a direct message through SCN.
*Please note that these KBAs are available to our customers only, and a valid account is required. Please contact your SAP Super-Admin for access or contact our GSCI team.
thanks for this, very timely, and a frequently asked question 🙂
Hi Jennifer - great information/work - by informing our customers you can reduce the number of incidents. Please don't forget to pass on info to help in our internal SAP White Hat hacking initiative - or come join in the virtual team! We want to improve our automated scanners to detect a wider range of potential issues long before they make it into the field.