July 18, 2024 at 11:03AM
SAP’s AI Core service was recently vulnerable to attacks, potentially allowing access to customer data, as reported by Wiz. The flaws were discovered and reported to SAP by Wiz, which led to the release of patches for the bugs in May. The vulnerabilities could have allowed attackers to execute code and gain access to customer data.
Based on the meeting notes provided, it is evident that SAP’s AI Core service was recently affected by vulnerabilities identified by Wiz, a cloud security firm. Wiz discovered a total of five bugs and reported them to SAP in January and February. SAP, in turn, released patches for these flaws on May 15. These security holes, termed SAPwned by Wiz, could have allowed attackers to access customer data and compromise internal artifacts, potentially spreading to related services and other customers’ environments. The vulnerabilities enabled the researchers to execute arbitrary code, move laterally, and gain control of the service, ultimately accessing credentials for AWS, Azure, and SAP cloud environments. It was found that attackers could read and modify Docker images on SAP’s internal container registry and Google’s container registry, as well as gain cluster admin privileges on the AI Core Kubernetes cluster. The root cause of these issues was the ability for attackers to run malicious AI models and training procedures, which essentially function as code. Notably, executing such an attack required basic permissions on SAP’s platform.
Additionally, the meeting notes reference related developments, including Google’s advanced discussions to acquire Wiz for $23 billion, Wiz’s successful fundraising of $1 billion at a $12 billion valuation, and an unrelated vulnerability that allowed the takeover of an AWS Apache Airflow service.
Please let me know if you need further clarification or if there are specific action items to be addressed based on these meeting notes.