Layer Seven Security ADVISORY

Similar documents
Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY. SAP Security Notes

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Layer Seven Security ADVISORY

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

SAP Directory Content Migration Tool

Disclosure Management US SEC. Preview

Moving BCM to different IP range

Passing Parameters via Web Dynpro Application

How the Standard Integration between SAP EM and SAP TM Can Be Tested with SE37

ADM920 SAP Identity Management

Preventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE

CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM

Disclosure Management. Default font on styles in Disclosure Management

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

SAP Fiori Toolkit. Marc Anderegg, RIG, SAP February, Provided by Rapid Innovation Group (RIG)

Simplified Configuration of Single System Update in Maintenance Optimizer

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

Crystal Reports 2008 FixPack 2.4 Known Issues and Limitations

Managing Substitutions in My Inbox 2.0 app

SAP White Paper SAP Sybase Adaptive Server Enterprise. New Features in SAP Sybase Adaptive Server Enterprise 15.7 ESD2

How to Use a Customer Specific UIBB in MDG Application 'Create Change Request' Author: Matthias Hubert Company: SAP Created on 5th July 2013

Attacks based on security configurations

SAP BusinessObjects Integration Option for Microsoft SharePoint Getting Started Guide

SAP Plant Connectivity 2.2

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day

UI Changes for SAP Portfolio and Project Management Depending on NW Release

BC100. Introduction to Programming with ABAP COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

SMP541. SAP Mobile Platform 3.0 Native and Hybrid Application Development COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

Message Alerting for SAP NetWeaver PI Advanced Adapter Engine Extended

SAP Sybase Replication Server Change DATA Capture Configuration. Example Configuration

EP200. SAP NetWeaver Portal: System Administration COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

SAP ME Build Tool 6.1

ADM900 SAP System Security Fundamentals

BC404. ABAP Programming in Eclipse COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

BC400. ABAP Workbench Foundations COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

Oracle Database Vault

SAP BusinessObjects Enterprise Upgrade Guide

BC400 Introduction to the ABAP Workbench

SAP Audit Guide for Basis

TBIT40 SAP NetWeaver Process Integration

SAP BusinessObjects Explorer API Guide SAP BusinessObjects Explorer XI 3.2 SP2

SAP NetWeaver Identity Management Identity Center Minimum System Requirements

HA200 SAP HANA Installation & Operations SPS10

SAP Afaria Post- Installation Part 1

ADM100 AS ABAP - Administration

SAP BusinessObjects Dashboard Design Component SDK Installation Guide

BC405 Programming ABAP Reports

NET311. Advanced Web Dynpro for ABAP COURSE OUTLINE. Course Version: 10 Course Duration: 4 Day(s)

SAP Single Sign-On 2.0 Overview Presentation

EP350. Innovated Content Management and Collaboration COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

SAP BusinessObjects Predictive Analysis 1.0 Supported Platforms

Dashboards Batch Utility User Guide

Learning Series: SAP NetWeaver Process Orchestration, business to business add-on 2g Archiver Module and Archiver Mapping

SAP NetWeaver Identity Management Identity Center. Implementation guide. Version 7.2 Rev 4. - Optimizing dispatcher performance

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

SAP Sybase IQ 16.0 SP08 PL1 Point-in-Time Recovery. July 2014

GRC100. GRC Principles and Harmonization COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)

How to Set Up and Use Electronic Tax Reporting

Upgrade MS SQL 2005 to MS SQL 2008 (R2) for Non-High-Availability NW Mobile ABAP System

Quality Inspection Engine (QIE) Security Guide

BC490 ABAP Performance Tuning

How To...Consume HANA Models with Input Parameters in BW Virtual Providers

BC410. Programming User Dialogs with Classical Screens (Dynpros) COURSE OUTLINE. Course Version: 10 Course Duration: 3 Day(s)

SDN Community Contribution

How to Find Suitable Enhancements in SAP Standard Applications

Creating Application Definitions in Hana Cloud Platform Mobile Services

SAP Branch Agreement Origination V3.703: Software and Delivery Requirements

How to do a Manual Kernel Upgrade of an SAP Server

Setup an NWDI Track for Composition Environment Developments

SAP Security In-Depth

How To... Configure Integrated Configurations in the Advanced Adapter Engine

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)

TABLE DISTRIBUTION IN HANA HANA. SAP Active Global Support, June 2012

How to Set Up Data Sources for Crystal Reports Layouts in SAP Business One, Version for SAP HANA

Trigger-Based Data Replication Using SAP Landscape Transformation Replication Server

MII - Crystal Reports Configuration Guide

BW Workspaces Data Cleansing during Flat File Upload

SAP BusinessObjects Performance Management Deployment Tool Guide

Single Sign-on For SAP NetWeaver Mobile PDA Client

How to Work with Analytical Portal

Visual Composer for SAP NetWeaver Composition Environment - Connectors

INTERNAL USE ONLY SAP BusinessObjects EPM Add-in for Microsoft Office Support Package 17 / Patch XX Installation Procedure

Install TREX for CAF Version 1.00 March 2006

SAP NetWeaver Identity Management Identity Center. Implementation Guide. Version 7.1 Rev 2. - Self-service password reset

Exploiting new default accounts in SAP systems

Transcription:

Layer Seven Security ADVISORY SAP Security Notes July 01

In July, SAP released a crucial update for a vulnerability in the Archiving Workbench originally patched in February 011. Note 1561545 contains instructions for an automated correction using the Note Assistant through transaction SNOTE and overrides the manual instructions provided in the earlier Note 151669. The Archiving Workbench uses archiving objects to move mass amounts of online data to offline or nearline storage systems. Each SAP document type is archived through a unique archiving object. Financial Accounting documents, for example, are archived using the archiving object FI_DOCUMNT which includes the document header, company code-dependent postings, change documents, and other elements. In another example, user, authorization and profile changes are archived through the objects US_USER, US_AUTH and US_PROF. The Workbench includes an Archive Development Kit (ADK), which provides the runtime environment for archiving, and a Monitor to review scheduled and completed archiving jobs. SAP Security Notes July 01 Archiving is controlled through the S_ARCHIVE authorization object. ADK performs a check for this object when a user calls a function module in the Archiving Workbench. The object can be configured to provide read, write, move or delete permissions. Activity level 01 provides all permissions, while 0 only allows users to display archive files and view settings in the archive management console. Required permission levels should be defined in the individual function modules. Notes 1561545 and 151669 are designed to patch missing authorization checks in certain modules. As a result, users that should have restrictive permissions may be able to escalate their privileges and move or even delete archived data. This could potentially lead to data loss, corruption or theft.

SAP Security Notes by Vulnerability Type Customers that have recently upgraded or are planning to upgrade from NetWeaver (NW) 004 or 7.0 to NW PI 7.10 or NW 7. should read SAP Note 174604 very closely. This deals with an alarming vulnerability in the secure store area of the SAP JEE Engine. The secure store area is used to store sensitive data such as passwords in encrypted form. By default, the JEE Engine stores sensitive data in the file \usr\sap \<SID>\SYS\global\security\data \SecStore.properties. This file is created during installation and includes the SAP<SID>DB and Administrator passwords. The former is used for database connectivity and the latter for system administration. The contents of the secure store file are encrypted with a triple DES algorithm using the SAP Java Cryptology Toolkit. There should be a prompt to change the default key phrase used to generate the encryption key during the upgrade procedure. However, this prompt is not displayed if the upgrade is performed with the SAPJup tool with a patch level lower than PL 54. As result, some upgraded systems may still have the default key phrase set on the secure store. Customers that have migrated to SAP s new and much vaulted HANA database, should take a look a Note 176160. This patches a memory corruption exploit that could be used by remote, malicious users to crash database operations and provoke a Denial of Service.

SQL Statements can bypass authorization checks 4 Finally, all customers should review Note 17856 which updates newer releases of JEE applications for a SQL injection vulnerability originally patched in March. Open or native SQL statements can bypass authorization checks. Therefore, modified strings in SQL statements can lead to unauthorized access to information stored in database tables. Note 17856 applies input validation to counter a vulnerability in the XML Data Archiving Service (XML DAS) that allows malicious users to retrieve or modify restricted data from databases by modifying strings in SQL statements generated by the program.

Appendix: SAP Security Notes, July 01 PRIORITY NOTE AREA DESCRIPTION 1 1561545 CA-GTF-TS-GMA Update to Security Note 151669 174686 BC-BSP Update 1 to security note 168718 174010 BC-XI-IBD Update to Security Note 150856 1708116 BC-UPG-TLS-TLA Directory traversal in function module STATUS_EXP from SDBM 171581 SV-SMB-AIO-PFW-SB Unauthorized modification of displayed content in BP-SOLBLD 170994 SV-SMG-SDD Missing authorization check in ST-PI 17109 BC-SRV-PMI Untrusted XML input parsing possible in PMI 17641 BC-XI-CON-AFW Untrusted XML input parsing possible in XI Adapter Framework 174604 BC-UPG-TLS-TLJ SAP Java Upgrade: change the default secure store key phrase 176160 BC-DB-HDB Security issues fixed in SAP HANA Revision 8 and later 1581156 BC-FES-ITS ITS: XSS vulnerability on page generated by HTTP handler 159176 CRM-BF-CFG Unauthorized modification of displayed content in CRM IPC 166150 BC-FES-ITS ITS: Replace HTML encoding by new ABAP function 167569 CRM-ISA Unauthorized modification of stored content in CRM-ISA 1676010 PA-GE Unauthorized modification of stored content in PA-GE 1681997 EP-KM-COL Missing authorization check in EP-KM-COL component 168684 BC-ABA-LA Missing authorization check in ABAP Dump Collector 169691 CRM-ISA-BBS Missing authorization check in CRM-ISA-BBS 169648 FS-AM-ARC FS-AM-ARC/Archiving: Potential disclosure of persisted data 17856 JEE-APPS Update # to security note 1594984 1699075 BC-CTS-LAN Code injection vulnerability in BC-CTS-LAN 171917 PPM-PRO Missing authorization check in PPM-PRO 1661909 EP-KM-WD Potential information disclosure relating to server info 16788 BC-JAS-SEC-UME Unauthorized use of User Mapping functions in portal

Layer Seven Security Layer Seven Security specialize in SAP security. We serve customers worldwide to protect information assets against internal and external threats and comply with industry and statutory reporting requirements. The company fuses technical expertise with business acumen to deliver unparalleled audit, consulting and vulnerability assessment solutions targeted at managing risks associated with contemporary SAP systems. Our consultants have an average of ten years of experience in field of SAP security and proficiency in regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCI DSS and SOX. The company is privately owned and headquartered in Toronto, Canada. Address Westbury Corporate Centre Suite 101 75 Upper Middle Road Oakville, Ontario L6H 0C, Canada Web www.layersevensecurity.com Email info@layersevensecurity.com Telephone 1 888 995 099

Copyright Layer Seven Security 01 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback