Security Concern in Cloud Apps
Incident Report for CDQ Cloud Services
Postmortem

We observed a case in Cloud Apps where a logged-in user saw data storages he/she should not be able to see.

As we were not successful to quickly reproduce the issue we decided to switch off CDQ Cloud Apps.

We know this is frustrating but we needed to limit the risk of any data exposure.

A bug in Cloud Apps caused that users which logged in within the same 1 second may have received the same session. This issue did not affect APIs or API security, so no technical integration in SAP systems was affected.

Based on our logs, this issue happened in total 10 times since the release of Cloud Apps and fortunately only in 1 case a customer was affected (other logins were internal accounts). We are already in close communication with the affected customer and verified that no unauthorized access to data occurred.

Fortunately, we have resolved this issue and verified that the login in Cloud Apps now works as expected despite any concurrency.

In case of further questions or concerns do not hesitate to contact us.

Posted Nov 13, 2020 - 14:53 CET

Resolved
Cloud Apps is available again - we have resolved this issue and verified that the login in Cloud Apps now works as expected.
Posted Nov 13, 2020 - 14:52 CET
Update
We have identified and reproduced the issue. Today we will provide the fix and re-enable access to Cloud Apps. After resolving the issue we will share details and explanations for transparency.
Posted Nov 13, 2020 - 09:30 CET
Identified
Due to a security concern regarding our web application, we have to switch off CDQ Cloud Apps. We are investigating the issue and will inform you about any progress. As far as we understand the issue for now, web session IDs may be assigned not exclusively if users log in “in parallel”, i.e., within less than a second. Although the probability of such a case is quite low, we cannot continue operations until we better understand the root cause. This issue does not affect APIs or API security, so any technical integration in SAP systems is not affected.
Posted Nov 12, 2020 - 18:02 CET
This incident affected: CDQ Cloud Services (Cloud Apps).