Layer Seven Security

How to switch from Onapsis to the Cybersecurity Extension for SAP, Part 6

The Cybersecurity Extension for SAP provides an alternative to Onapsis for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of Onapsis. This guide will help you plan for the transition from Onapsis to the Cybersecurity Extension for SAP. Once you have transitioned from Onapsis, you can remove the Onapsis consoles and sensors from your SAP landscape, as well as the Onapsis users and addons in your SAP systems. 

Unlike Onapsis, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.

The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from Onapsis to the Cybersecurity Extension for SAP.

Check Managed System Configuration

The Cybersecurity Extension for SAP requires the completion of Managed System Configuration for each target system. Execute transaction SOLMAN_SETUP or navigate to work center SAP Solution Manager Configuration – Configuration (All Scenarios). Click on Managed System Configuration in Cross Scenario Configuration. Highlight a relevant system in the Technical Systems tab and select Configure System – Full Configuration. Confirm the status of all steps in Managed System Configuration is green (completed). Follow the guided procedures for Managed System Configuration to perform steps that are red or yellow (incomplete).

The following Automatic and Manual Activities are not required in Finalize Configuration:

Setup Single Sign-On
Activate E2E Trace Upload Service
Introscope Host Adaptor
Apply Settings for EWA Monitoring
Byte Code Adaptor Installation (Java Systems)
Enable Remote R/3 Connection

The status of the steps Maintain Users, Finalize Configuration and Check Configuration can be yellow.

Repeat the steps for each target system.

Next: Check System Monitoring >>>

How to switch from Onapsis to the Cybersecurity Extension for SAP, Part 5

The Cybersecurity Extension for SAP provides an alternative to Onapsis for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of Onapsis. This guide will help you plan for the transition from Onapsis to the Cybersecurity Extension for SAP. Once you have transitioned from Onapsis, you can remove the Onapsis consoles and sensors from your SAP landscape, as well as the Onapsis users and addons in your SAP systems. 

Unlike Onapsis, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.

The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from Onapsis to the Cybersecurity Extension for SAP.

Check Basic Configuration


The Cybersecurity Extension for SAP requires the completion of Basic Configuration in Mandatory Configuration. Execute transaction SOLMAN_SETUP or navigate to work center SAP Solution Manager Configuration – Configuration (All Scenarios). Click on Basic Configuration in Cross Scenario Configuration – Mandatory Configuration. Confirm the status of all steps in Basic Configuration is green (completed). Follow the guided procedures for Basic Configuration to perform steps that are red or yellow (incomplete).

Next: Check Managed System Configuration >>>

How to switch from Onapsis to the Cybersecurity Extension for SAP, Part 4

The Cybersecurity Extension for SAP provides an alternative to Onapsis for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of Onapsis. This guide will help you plan for the transition from Onapsis to the Cybersecurity Extension for SAP. Once you have transitioned from Onapsis, you can remove the Onapsis consoles and sensors from your SAP landscape, as well as the Onapsis users and addons in your SAP systems. 

Unlike Onapsis, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.

The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from Onapsis to the Cybersecurity Extension for SAP.

Check Infrastructure Preparation

The Cybersecurity Extension for SAP requires the completion of Infrastructure Preparation in Mandatory Configuration. Execute transaction SOLMAN_SETUP or navigate to work center SAP Solution Manager Configuration – Configuration (All Scenarios). Click on Infrastructure Preparation in Cross Scenario Configuration – Mandatory Configuration. Confirm the status of all steps in Infrastructure Preparation is green (completed). Follow the guided procedures for Infrastructure Preparation to perform steps that are red or yellow (incomplete). Note, ISAGENT installation for Wiley Introscope and CA Introscope are not required.

Next: Check Basic Configuration >>>

How to switch from Onapsis to the Cybersecurity Extension for SAP, Part 3

The Cybersecurity Extension for SAP provides an alternative to Onapsis for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of Onapsis. This guide will help you plan for the transition from Onapsis to the Cybersecurity Extension for SAP. Once you have transitioned from Onapsis, you can remove the Onapsis consoles and sensors from your SAP landscape, as well as the Onapsis users and addons in your SAP systems. 

Unlike Onapsis, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.

The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from Onapsis to the Cybersecurity Extension for SAP.

Check System Preparation

The Cybersecurity Extension for SAP requires the completion of System Preparation in Mandatory Configuration. Execute transaction SOLMAN_SETUP or navigate to work center SAP Solution Manager Configuration – Configuration (All Scenarios). Click on System Preparation in Cross Scenario Configuration – Mandatory Configuration. Confirm the status of all steps in System Preparation is green (completed). Follow the guided procedures for System Preparation to perform steps that are red or yellow (incomplete).

Next: Check Infrastructure Preparation >>>

How to switch from Onapsis to the Cybersecurity Extension for SAP, Part 2

The Cybersecurity Extension for SAP provides an alternative to Onapsis for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of Onapsis. This guide will help you plan for the transition from Onapsis to the Cybersecurity Extension for SAP. Once you have transitioned from Onapsis, you can remove the Onapsis consoles and sensors from your SAP landscape, as well as the Onapsis users and addons in your SAP systems. 

Unlike Onapsis, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.

The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from Onapsis to the Cybersecurity Extension for SAP.

Check Solution Manager version and support pack level

The Cybersecurity Extension for SAP requires SAP Solution version 7.2, support pack 10 or higher. To check the version and support pack level of your Solution Manager, logon to SAP Solution Manager using SAP GUI. Click on More > System > Status. Click on Details in SAP System Data. Confirm the component ST is Release 720 and SP-Level is 010 or higher. You will need to perform a support pack update if the SP level is lower than 10.

Next: Check System Preparation >>>

How to switch from Onapsis to the Cybersecurity Extension for SAP, Part 1

The Cybersecurity Extension for SAP provides an alternative to Onapsis for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of Onapsis. This guide will help you plan for the transition from Onapsis to the Cybersecurity Extension for SAP. Once you have transitioned from Onapsis, you can remove the Onapsis consoles and sensors from your SAP landscape, as well as the Onapsis users and addons in your SAP systems. 

Unlike Onapsis, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.

The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from Onapsis to the Cybersecurity Extension for SAP.

Next: Check Solution Manager version and support pack level >>>

SAP Security Notes, December 2022

Hot news notes 3267780 and 3273480 patch critical broken authentication vulnerabilities in SAP NetWeaver Application Server Java (AS Java). Threat actors can exploit the vulnerabilities to attach to an open interface exposed through JNDI by the Messaging System and User Defined Search (UDS) of SAP NetWeaver AS Java. Once attached, they can make use of an open naming and directory API to access services and read and modify sensitive information, execute SQL commands, and perform a denial of service. There are no workarounds for the vulnerabilities. The notes apply access control for the interface. After the implementation of the correction, full access to the interface will require UME role SAP_XI_ADMINISTRATOR_J2EE. Read and write access will require roles SAP_XI_CONFIGURATOR_J2EE and SAP_XI_DEVELOPER_J2EE. Read-only access can be provided using role NWA_READONLY.

Note 3239475 deals with a critical Server-Side Request Forgery vulnerability in SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability enables attackers with non-administrative privileges to upload/replace any file in the operating system of the Business Objects server, thereby taking full control of the system. Both the Central Management Console (CMC) and BI Launchpad (BILP) on BOBJ 4.2 and 4.3 are impacted.

Hot news note 3271523 patches a remote code execution vulnerability associated with Apache Commons Text in SAP Commerce, an open-source Java library that performs variable interpolation. Versions 1.5 – 1.9 of Apache Commons Text include interpolators that can be used to execute arbitrary code or connect with remote servers. The library should be updated to 1.10 to disable the vulnerable interpolators. Note 3271523 includes instructions for locating and updating the affected .jar files manually.

Securing the Journey to SAP S/4HANA

Earlier this month, Layer Seven Security released the new whitepaper Securing the Journey to SAP S/4HANA: A Security Framework for S/4HANA Migrations. The whitepaper provides a comprehensive guide to S/4HANA security to support the transition from SAP ERP to S/4HANA.

Mainstream maintenance for ERP will end in December 2027. Therefore, organizations must migrate to S/4HANA by the beginning of 2028. To date, only one third of organizations have migrated to S/4HANA. Therefore, the majority of SAP customers will be migrating over the next five years.

Security is one of the largest roadblocks to successful migrations. This is due to significant differences between ERP and S/4HANA that require the restructuring of access and technical controls. It is also due to concerns related to cloud security since almost 70% of organizations are electing to migrate to cloud-based S/4HANA installations. Other security concerns arise from the migration of custom SAP programs from ERP to S/4HANA. These programs often contain hidden and unresolved security vulnerabilities since they were never subject to in depth code vulnerability analysis.

The whitepaper includes detailed recommendations across twelve domains to deal with these and other security concerns and facilitate the smooth transition to S/4HANA. The recommendations are aligned to best practices in the SAP S/4HANA Security Guide. The whitepaper also includes guidance for automating pre and post go-live security checks for S/4HANA migrations using SAP Solution Manager and the Cybersecurity Extension for SAP.

SAP Security Notes, November 2022

Hot news note 3243924 for CVE-2022-41203 patches a critical vulnerability related to insecure deserialization of untrusted data in the Central Management Console (CMC) and BI Launchpad of SAP BusinessObjects Business Intelligence Platform (BOBJ). The vulnerability impacts versions 4.2 and 4.3 of BOBJ and can be exploited by threat actors to bypass authentication, inject malicious code, or provoke a denial of service. As a workaround, customers can first backup and then delete the files in the following folders of the Tomcat directory:

webapps\BOE\WEB-INF\eclipse\plugins\webpath.AnalyticalReporting\web\jsp\Webi_DestinationFormat

webapps\BOE\WEB-INF\eclipse\plugins\webpath.AnalyticalReporting\web\jsp\Webi_Format

The workaround disables the selection of the format in the creation of a Publication or a Schedule. It will cause a HTTP 404 page in the Format area when trying to schedule a document. This impacts the CMC only. There is no impact on the BI Launchpad.

Note 3256571 for CVE-2022-41214 addresses multiple high-risk directory traversal vulnerabilities in NetWeaver Application Server ABAP (AS ABAP). The vulnerability is caused by insufficient path validation that enables attackers to access remote-enabled function modules to read and delete restricted files in AS ABAP.

Note 3249990 deals with denial of service vulnerabilities in SQlite bundled with SAPUI5 that can be triggered by array-bounds overflow.

Securing Microsoft Platforms with the Cybersecurity Extension for SAP

SAP systems consist of multiple integrated technological layers. SAP solutions comprise the application layer. The application layer is supported by database and operating system layers. The layers are closely integrated to form a software ecosystem linked through several connections including trust relationships that bond the layers to form an SAP system. The layers are more tightly integrated in SAP HANA installations where application, database and OS functions can share physical resources.

Since SAP systems are comprised of multiple layers, security must be applied across all layers within a system. Threat actors can bypass secure SAP applications by targeting weaknesses at the database or OS level to compromise SAP systems. Ransomware, for example, can lead to a denial-of-service for SAP services by exploiting vulnerable operating systems. Application-level data protection mechanisms can be bypassed by exfiltrating data in SAP solutions directly from the database.

The need to secure databases and operating systems in SAP systems is more pressing when SAP applications are coupled with Microsoft platforms that are widely targeted by threat actors and suffer from a host of known vulnerabilities and exploits. The Cybersecurity Extension for SAP is the only security solution that secures all layers within SAP systems including databases and operating systems.

Together with over 2000 vulnerability checks for SAP solutions, the Cybersecurity Extension for SAP performs automated vulnerability scans for Microsoft SQL Server and Microsoft Server to detect more than 300 known security weaknesses in the platforms. This includes active vulnerable services that widen the attack surface for databases and hosts, authentication settings including password policies, file and table encryption, users with administrative privileges including system and user administration, the availability of standard users, logging and auditing, open ports and services, and host firewall settings.

The Cybersecurity Extension for SAP also monitors database and operating logs to detect indicators of compromise in Microsoft platforms and trigger alerts and email/ SMS notifications for security incidents. This includes system, role and user changes, direct access to user tables, changes to database schemas, user groups, scheduled tasks, stored procedures, passwords and firewall settings, failed logons including attempted remote logons, packets blocked by host firewalls, remote procedure calls, service activation, device and program installation, and changes to system auditing.