At Avantra, our customers trust us to keep their business operations based on SAP running smoothly. I have written in the past about the importance of SAP security, and how I believe that in the next few years, SAP risks becoming an attack vector for hackers.
It should come as no surprise that security is an area in which Avantra has invested significantly since I became CEO. This includes the toolchain for secure development principles, external penetration testing, and ISO27001 compliance for Information Security Management.
From a practical perspective, this means that we are generally proactive when it comes to IT security - using software, like snyk.io, to ensure that when Avantra releases software, it does not contain known vulnerabilities.
Because our software is Java-based, it means that we use a number of open source software libraries available on the internet, and this normally means that with our processes in place, we can keep on top of ensuring Avantra is secure.
Severity of security vulnerabilities
In addition, the severity of security vulnerabilities can be measured on three axes.
First, there is the seriousness of the vulnerability. That is to say, does the vulnerability allow full control of the system, or the ability to shut services down, or just to pop up a silly message when you login?
Second is the ease of access. Can the system be hacked from the login screen, or do you already need to be logged into the system? How esoteric is the attack vector?
Last, is the number of systems impacted. Is this a specific version that has already been patched, does it impact all versions, and how broad is the software used?
In most cases, security vulnerabilities are not a 10/10 on all three axes. They are often not too serious, but easy to access, or extremely serious but difficult to exploit.
When CVE-2021-44228 was first released, it didn’t seem to be a big deal. It required a newer version of Java, which Avantra updated most of our customers to some releases ago, and so we weren’t overly concerned.
It was only later on Friday afternoon and early Saturday morning in Europe, that it came to light that the Java version didn’t matter, and we released a workaround that secured the Avantra software.
Scaling the approach
But it also was clear that the workaround was not ideal, because it required work to be done on every system which has an Avantra agent installed. This is completely impractical for larger customers, and so we quickly made the decision to provide new Avantra agents. Customers would still do the workaround on the primary system, but roll out new agents to the very large number of systems they have under management.
We weren’t as worried about this because we hadn’t identified an attack vector for the Avantra agent, but we could not be sure that such an attack vector was not present.
The gift that keeps giving
CVE-2021-44228 was then exploited again by Wednesday, and we had to release further fixes for CVE-2021-45105 and CVE-2021-45046, which brings us to where we are today.
We also found that some customers have rapid security response teams, and some have very little response at all. This is challenging because we are worried about the possibility of a breach in all customers, not only those customers who have already patched.
This is my call to action to all customers - please read this security advisory emailed to customers today and check the version you are on, even if you upgraded last week.
We collect some basic application analytics including which version of Avantra you are running. So we will be in touch with you individually if you have not yet upgraded, to find your plans and help out if needed. We’re going to track this until every customer system has been patched.
In the meantime, my apologies for the evolving advice as the week progressed and the need to upgrade more than once in many cases. This was a fast moving situation and we provided the best information we had at the time.
If you need to speak with Customer Support, please log a ticket in the Support Hub.
Avantra takes the security of our software and our customers very seriously - it is our top priority. We encourage you to get proactive updates as we post them by subscribing to the security section of our forum.