Security Notes - 2024

Continuando con el post de Vulnerabilidades SAP, adjunto un resumen para tener algunos datos presentes.

Resumen

Las vulnerabilidades de SAP continúan planteando riesgos importantes para la seguridad empresarial. Desde enero de 2021 a la fecha se reportan 578 Notas de Seguridad SAP relacionadas con 546 CVE-ID.

Key Findings

Year Total CVEs Avg CVSS Score Avg EPSS Score Critical Vulnerabilities High Severity Vulnerabilities
2021 146 6.74 1.97 17 42
2022 140 6.92 9.18 20 40
2023 162 6.55 0.11 20 36
2024 130 5.84 0.72 8 27

Vulnerability Severity Distribution

  • Consistent Trend: Medium-severity vulnerabilities consistently dominate across all years
  • Critical Vulnerabilities: Peaked in 2022 with 20 critical vulnerabilities
  • Low-Severity Trend: Slight increase in low-severity CVEs in recent years

Known Exploited Vulnerabilities (KEV) and Ransomware

Year KEV Count
2021 6
2022 14
2023 0
2024 1

Top Vulnerable Products

Consistent Trend: SAP NetWeaver Products Dominate Vulnerabilities

Year-by-Year Top Vulnerable Products

  • 2021 Top Products:

    1. NetWeaver Application Server ABAP
    2. NetWeaver Application Server Java
    3. Business One
    4. 3D Visual Enterprise Viewer
    5. NetWeaver ABAP

  • 2022 Top Products:

    1. NetWeaver Application Server ABAP
    2. NetWeaver Enterprise Portal
    3. Log4j
    4. Business Objects Business Intelligence Platform
    5. NetWeaver ABAP

  • 2023 Top Products:

    1. NetWeaver Application Server ABAP
    2. BusinessObjects Business Intelligence
    3. Solution Manager
    4. NetWeaver
    5. NetWeaver Application Server for Java

  • 2024 Top Products:

    1. NetWeaver Application Server ABAP
    2. NetWeaver Application Server Java
    3. SAP XSSEC
    4. Business Workflow
    5. Business Objects Business Intelligence Platform

Most Prevalent Vulnerability Types (CWE)

Recurring Top Vulnerability Categories:

  1. CWE-79: Cross-Site Scripting (XSS)
  2. CWE-862: Missing Authorization
  3. CWE-200: Information Disclosure

Detailed Analysis

2021 Highlights

  • Total CVEs: 146
  • Average CVSS: 6.74
  • Average EPSS: 1.97
  • Key Products: NetWeaver Application Server, DOM4J, jQuery
  • Notable CWEs: Authorization Issues, XSS, Information Disclosure

2022 Highlights

  • Total CVEs: 140
  • Significant Increase: Known Exploited Vulnerabilities (KEV) jumped from 6 to 14
  • Average CVSS: 6.92 (Highest in the period)
  • Average EPSS: 9.18 (Highest potential exploit probability)
  • Key Products: NetWeaver, Log4j, Business Objects BI Platform
  • Notable CWEs: XSS, Information Disclosure, Open Redirect

2023 Highlights

  • Total CVEs: 162 (Peak Year)
  • Unique Year: Zero Known Exploited Vulnerabilities
  • Average CVSS: 6.55
  • Very Low EPSS: 0.11
  • Key Products: NetWeaver, BusinessObjects BI, Solution Manager
  • Notable CWEs: XSS, Information Disclosure, Missing Authorization

2024 Preliminary Insights

  • Total CVEs: 130 (As of current dataset)
  • Decline in Critical Vulnerabilities: Only 8 critical CVEs
  • Lower Average CVSS: 5.84
  • Key Products: NetWeaver ABAP, SAP XSSEC, Business Workflow
  • Notable CWEs: Server-Side Request Forgery (CWE-918), File Upload Vulnerabilities

Priority Score Medium Vulns 2021-2024

Considerando la tendencia "Las vulnerabilidades de gravedad media dominan consistentemente en todos los años" es necesario gestionar y priorizarlas para su tratamiento.

El modelo creado para priorizar vulns Beta "Rethink Priority Score", selecciona 24 de las 358 informadas en SAP Notes Security:

  • 24 Unique CVE-IDs
  • 3 on KEV
  • 14 on CWE Top 25

image

Priority Score Vulns 2021-2024

En referencia al total Vulns desde 2021 a 2024 reportadas por SAP, el modelo Beta "Rethink Priority Score", selecciona 160 de 578 SAP Security Notes:

  • 145 Unique CVE-IDs
  • 12 on KEV
  • 97 on CWE Top 25

image

Beta "Rethink Priority Score" - SAP Compass Vulns

Limitaciones y Consideraciones

  • El conjunto de datos representa una instantánea de las vulnerabilidades reportadas.
  • Algunas vulnerabilidades pueden no ser reportadas.
  • El riesgo real depende de la implementación específica y el contexto.

Conclusión

El panorama de la ciberseguridad continúa transformándose, con vulnerabilidades persistentes de gravedad media a alta. La implementación de estrategias proactivas se consolida como un recurso crítico para mitigar riesgos y vulnerabilidades emergentes.

No olvidar las vulnerabilidades de gravedad media

Tendencia: Las vulnerabilidades de gravedad media dominan consistentemente en todos los años.

Nota: Análisis basado en datos CVE hasta el 14 de diciembre de 2024




rhnux :: | | :: Made with MkDocs + Simple Blog