With so many IT and supply chain management teams working from home in this COVID-19 period, and with the dual challenges of business and family, some readers may have missed an announcement from enterprise and ERP technology provider SAP SE earlier this month relative to cybersecurity.
That announcement indicates that the provider has identified that some of its Cloud based application platforms, mostly from prior acquisitions, “do not meet one or several contractually agreed data or statutory IT standards.”
According to this release, the affected products are limited to the acquired entity products: 
SAP Success Factors
SAP Concur
SAP/CallidusCloud Commissions
SAP/Callidus Cloud CPQ
SAP C4C/Sales Cloud
SAP Cloud Platform
SAP Analytics Cloud
The statement clarifies that the findings were not identified in response to a cyber security incident, and the company does not believe any customer data has been compromised as a result.
SAP intends to inform affected customers which is estimated to be 9 percent of a total of 440,000 customers, equating to over 39,000.
Further outlined is SAP’s declaration that remediation of identified areas of shortcomings will proceed expeditiously, with completion anticipated in the second quarter of 2020.
A blog posting by the organization SAPinsider makes mention of such cybersecurity gaps and advises SAP customers that are notified that such information is passed on expeditiously to SAP System Administrators for action.
We performed a Google search relative to this topic and came across an Activity Alert issued by the Cybersecurity & Infrastructure Security Agency (CISA) that was characterized as: “in response to recently disclosed exploits that target unsecure configurations of SAP components.” The vulnerabilities were apparently identified in April 2019 and that: “Malicious cyber actors can attack and compromise these unsecure systems with publicly available exploit tools, termed “10KBLAZE.” The document goes on to describe that if certain SAP Message Servers are not properly configured for external security, an attacker can access a Message Server and gain internal credentials to perform harm.
While the listed SAP Cloud platforms do not appear on the surface to have direct impact to supply chain management business processes, we believed it was prudent to create awareness just the same, since hackers tend to have capabilities to crawl once access is gained to a vulnerable system.
We should further make note of the qualifier that the vulnerabilities were identified within applications acquired by SAP., since the company has continually communicated that its internally developed applications have had any data security vulnerabilities patched in subsequent software updates.
© Copyright 2020, The Ferrari Consulting and Research Group and the Supply Chain Matters® blog. All rights reserved.
