A reportedly serious security bug affecting the J2EE (Java 2 Platform Enterprise Edition) engine in SAP’s NetWeaver middleware will be patched soon, SAP said Friday.
NetWeaver underpins SAP’s range of enterprise software, including its flagship Business Suite ERP (enterprise resource planning) product. The bug was discussed by security researcher and ERPScan CTO Alexander Polyakov during a presentation at the Black Hat security conference in Las Vegas on Thursday.
The vulnerability makes it possible to crack SAP systems over the Internet by circumventing authorization checks, Polyakov wrote in a blog post before the conference. “For example, it is possible to create a user and assign him to the administrators group using two unauthorised requests to the system.”
The attack is also possible on systems that are protected by two-factor authentication systems that use both a secret key and password, he added. ERPscan is making a tool that can detect the problem available at no charge.
“SAP is working closely with Alexander Polyakov on this issue,” SAP spokesman Andy Kendzie said in a statement Friday. “SAP will deliver a patch to its customers shortly.”
The patch will come as part of a regular security update, and not an out-of-cycle emergency fix, he added.
The news comes shortly after Oracle’s release of Java SE 7. The language update shipped with bugs that Oracle engineers knew about prior to the release, a move met with serious consternation from some critics. Oracle plans to fix the bug in an update.