News Stay informed about the latest enterprise technology news and product updates.

Customers warned of critical SAP flaw

A flaw in SAP Internet Graphics Server can allow a hacker to gain user privileges and eventually access confidential SAP files, according to UK security firm Corsaire Ltd.

A critical flaw in SAP's Internet Graphics Server opens up SAP systems to remote hackers who can gain user privileges and access sensitive SAP files.

Once hacked, you can get a hold of any file on the file system.
Martin O'Neal,
security consultantCorsaire Ltd.

Martin O'Neal, a security consultant and director at U.K.-based security firm Corsaire Ltd, discovered the vulnerability during a routine assessment of a new SAP installation for a client.

O'Neal described the flaw as critical and said it is likely in every live installation of SAP. The flaw was discovered on the Unix platform, but can be likely used to gain access on other platforms as well, O'Neal said.

"Once hacked, you can get a hold of any file on the file system," O'Neal said, in an interview with "It's indicative of development issues -- the failure to understand fundamental problems with designing and building a Web server."

SAP released an advisory to customers urging them to upgrade the server to version 6.40, patch 11 or higher versions.

O'Neal said there are two workarounds. If a company needs a Web-based interface, it should conduct a server upgrade, he said. An enterprise can also disable the HTTP interface, which results in eliminating the flaw, he said.

The SAP Internet Graphics Server is used in conjunction with SAP R/3 software and renders graphics to a device-dependent format. It works in conjunction with SAP Business Warehouse queries to make interactive charts and reports using Web services to integrate with a variety of third-party products.

The flaw was discovered in March, and SAP has remained tight-lipped over the issue, refusing to speak with Corsaire or share information on a fix with the security firm, O'Neal said.

Security news:

Web services security getting greater scrutiny

Visit our security topic center

"We don't know the results of their investigations or if their fix remedies the problem," O'Neal said. "When asked to see copy of their advisory SAP sent to their own clients, they said we couldn't see it."

SAP spokesman Bill Wohl said SAP conducted a review process and wanted to wait until final testing was completed on the test before making contact with Corsaire.

"We have just completed the last step in our process, which is to test the patch and make sure that it solves the issue," Wohl said. "It was only until testing was complete that we feel comfortable going back to the security service that discovered the issue."

Wohl also said the vulnerability allows initial access to the data of configuration of the operating system upon which the SAP Internet Graphics Server is based. Actual R/3 data is not exposed, Wohl said. Very few SAP customers use the Internet Graphics Server, he said.

Whol said SAP security bulletins to customers remain confidential to further protect SAP systems from attack. Details on the vulnerability are described in the SAP Note 862169.

Dig Deeper on SAP security

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

Hi Robert,

Greetings. Basically I'm a functionality testing person & novice to SAP but have been asked to work on Conducting basic security testing against SAP Implementation. (HCM, FICO, MM modules already implemented since Sep 2016 & new modules like BCM, SRM are in process now )

I have gone through this critical flaw. Kindly guide me on the take away from it in terms of the following:

Vulnerable Source:

Mitigation Plan & Steps to conduct for non existence of this flaw occurence