SAP has patched several serious vulnerabilities in its HANA in-memory database that could give attackers full control over the system without needing a username or password.
The zero-day vulnerabilities rank among the most critical ever found in HANA.
Exploiting them could give attackers full access to information in the database, as well as other SAP business apps, according to Onapsis, the security company that uncovered the issue.
Onapsis said vulnerabilities lie in a HANA component known as "User Self Service" (USS), which was launched in late 2014. USS lets users carry out tasks like create an account or recover a password.
According to Onapsis, which didn't publish technical details of the flaws, when chained together the combined vulnerabilities give attackers full access to USS and the ability to perform any action over the information contained within HANA, as well as the processes it supports.
Onapsis rated the combined flaws 9.8 in severity.
The security vendor reported ten HANA vulnerabilities to SAP about two months ago. SAP is releasing five HANA patches this week to fix a range of vulnerabilities uncovered in recent months.
"SAP has done a great job by releasing fixes much faster than in past situations," Onapsis CEO Mariano Nunez said.
SAP urged security managers to patch relevant systems.
"There has not been one case where a customer who applied the recommended patches has been affected," Siddhartha Rao, vice president of SAP product security response, said.
"We currently expect there will not be that many customers affected by these issues."
