Layer Seven Security ADVISORY

Similar documents
Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY. SAP Security Notes

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

SAP Cybersecurity Solution Brief. Objectives Solution Benefits Quick Facts

Disclosure Management. Default font on styles in Disclosure Management

Moving BCM to different IP range

SAP Directory Content Migration Tool

Inception of the SAP Platform's Brain Attacks on SAP Solution Manager

Disclosure Management US SEC. Preview

Preventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE

Attacks based on security configurations

SAP Audit Guide for Basis

Crystal Reports 2008 FixPack 2.4 Known Issues and Limitations

SAP BusinessObjects Explorer API Guide SAP BusinessObjects Explorer XI 3.2 SP2

Dashboards Batch Utility User Guide

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

SAP Branch Agreement Origination V3.703: Software and Delivery Requirements

BC400 Introduction to the ABAP Workbench

SAP BusinessObjects Dashboard Design Component SDK Installation Guide

SAP BusinessObjects Integration Option for Microsoft SharePoint Getting Started Guide

How the Standard Integration between SAP EM and SAP TM Can Be Tested with SE37

BC100. Introduction to Programming with ABAP COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

ADM900 SAP System Security Fundamentals

UI Changes for SAP Portfolio and Project Management Depending on NW Release

SAP Business Communications Management (BCM) Release Notes 7.0 SP04 Patch 1 ( )

CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM

BC400. ABAP Workbench Foundations COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

ADM100 AS ABAP - Administration

Message Alerting for SAP NetWeaver PI Advanced Adapter Engine Extended

Business Objects Integration Scenario 2

Visual Composer for SAP NetWeaver Composition Environment - Connectors

BW Text Variables of Type Replacement Path

SAP BusinessObjects Performance Management Deployment Tool Guide

Quality Inspection Engine (QIE) Security Guide

How to Find Suitable Enhancements in SAP Standard Applications

Managing Substitutions in My Inbox 2.0 app

SAP Discovery System V5 Users and Passwords

SAP Crystal Reports Viewer 2011 Release Notes

Duet Enterprise: Tracing Reports in SAP, SCL, and SharePoint

Using Xcelsius 2008 with SAP NetWeaver BW

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day

Passing Parameters via Web Dynpro Application

Forwarding Alerts to Alert Management (ALM)

EP200. SAP NetWeaver Portal: System Administration COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

How to Download Software and Address Directories in SAP Service Marketplace

ADM920 SAP Identity Management

Single Sign-on For SAP NetWeaver Mobile PDA Client

Enterprise Services Enhancement Guide

BW Workspaces Data Cleansing during Flat File Upload

Data Handling in the SAP NetWeaver System Landscape Directory Step by Step

How to reuse BRFplus Functions Similar to R/3 Function Modules using BRF+ Expression Type Function Call

About the company. What we do? Cybersecurity solutions adapted to protect enterprise business applications (SAP & Oracle).

BC410. Programming User Dialogs with Classical Screens (Dynpros) COURSE OUTLINE. Course Version: 10 Course Duration: 3 Day(s)

BC430 ABAP Dictionary

SAP BusinessObjects Predictive Analysis 1.0 Supported Platforms

SAP BusinessObjects Enterprise Upgrade Guide

BC404. ABAP Programming in Eclipse COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

Preview of Web Services Reliable Messaging in SAP NetWeaver Process Integration 7.1

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

How To...Consume HANA Models with Input Parameters in BW Virtual Providers

SAP NetWeaver Identity Management Identity Center Minimum System Requirements

Portal Integration Kit User's Guide for SAP BusinessObjects Portlets

How to Use a Customer Specific UIBB in MDG Application 'Create Change Request' Author: Matthias Hubert Company: SAP Created on 5th July 2013

Resume Parsing. SAP enhancement package 3 for SAP ERP 6.0. Document Version ERECRUIT 603 RECRUIT 603

Duplicate Check and Fuzzy Search for Accounts and Contacts. Configuration with SAP NetWeaver Search and Classification (TREX) in SAP CRM WebClient UI

Using SAP NetWeaver Business Intelligence in the universe design tool SAP BusinessObjects Business Intelligence platform 4.1

Cube Designer User Guide SAP BusinessObjects Financial Consolidation, Cube Designer 10.0

Upgrade MS SQL 2005 to MS SQL 2008 (R2) for Non-High-Availability NW Mobile ABAP System

SAP BusinessObjects Dashboards 4.0 SAP Crystal Dashboard Design 2011 SAP Crystal Presentation Design 2011

Visual Composer s Control Types

Widgets for SAP BusinessObjects Business Intelligence Platform User Guide SAP BusinessObjects Business Intelligence platform 4.1 Support Package 2

BC490 ABAP Performance Tuning

How to Integrate Microsoft Bing Maps into SAP EHS Management

Testing Your New Generated SAP NetWeaver Gateway Service

TBIT40 SAP NetWeaver Process Integration

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)

Simplified Configuration of Single System Update in Maintenance Optimizer

OData Service in the SAP Backend System for CRUDQ Operations in Purchase Order Scenario

Business Intelligence Platform User Guide SAP BusinessObjects Business Intelligence platform 4.0 Support Package 2

Visual Composer Modeling: Data Validation in the UI

How to Set Up and Use Electronic Tax Reporting

Do Exception Broadcasting

Quick View Insider: How Can I Change the Colors? (SNC 7.0)

Obtain Configuration Parameters for LPD_CUST Provide the base path of your BSP application (1/2)

Quick View Insider: Understanding Quick View Configuration

Transcription:

Layer Seven Security ADVISORY SAP Security Notes January 01

There were several Security Notes released by SAP in January for directory traversal vulnerabilities affecting a number of application areas. The most important affected the adminadapter service in the Java Application Server used for system administration and monitoring (Note 1755108). The vulnerability patched by the Note carried a CVSS Base Score of 10.0. Scores range between 1-10. Critical vulnerabilities are generally rated between 7.5-10.0. Other areas patched for directory traversal risks include Material Planning Objects (MPO) used for equipment and armament management by organizations using the SAP industry solution Defense Forces and Public Security (IS-DFS) (Note 1787460) and the Integration Builder Framework of Process Integration (PI), formerly known as Exchange Infrastructure (XI) (Note 16857). SAP Security Notes January 01 Directory traversal, also known as path traversal, occurs when an attacker is able to successfully access directories or files outside of restricted zones by modifying the external input processed by application servers. This can provide access to parent directories (relative path traversal) or any directory on a server (absolute path traversal). The consequences of directory traversal can be severe, ranging from viewing data in sensitive password, program or other files in directories, to corrupting or removing the files which can lead to Denial of Service (DoS). It can be prevented through secure coding that includes requirements for the validation of inputs against a whitelist of acceptable values for properties such as length, type, syntax and file extensions. For more information, refer to the Common Weaknesses Enumeration (CWE), sponsored by the Office of Cybersecurity and Communications at the Department of Homeland Security. SAP also released several Notes for missing authorization checks. This includes the U.S version of Personnel Administration (PA-PA- US) which prior to the release of Note

SAP Security Notes by Vulnerability Type 177917 did not perform sufficient authorization checks for access to HR Distributed Reporting. It also includes ABAP Web Services, a Basis component in the Enterprise Service Infrastructure (Note 1776984). Other noteworthy Security Notes include 1716 which patches a buffer overflow vulnerability in the Communications Management Software of CRM, and 16741 which deals with a code injection flaw when using the File Transfer Protocol (FTP) in SAPconnect during external communications. SAP customers should also review Notes 17754 and 17708. Both provide corrections for hardcoded username and password combinations contained in program codes that enable attackers to access system resources without authorization or enable legitimate users to escalate their privileges. The affected programs are the Business Navigator component of Customizing (IMG) and the Basis Application Log.

Appendix: SAP Security Notes, January 01 PRIORITY NOTE AREA DESCRIPTION 1 1755108 BC-JAS-ADM-ADM Directory traversal in adminadapter service 1749 BC-WD-JAV Update 1 to Security Note 165474 1787460 IS-DFS-OF-MPO Directory-Traversal in IS-DFS-OF-MPO 1785747 BW-BEX-OT Missing authorization check in BW-BEX-OT 1784654 BW-BEX-ET Missing authorization check in BW-BEX-ET 177917 PA-PA-US Missing authorization check in HR Distributed-Reporting - CE 1776984 BC-ESI-WS-ABA Missing authorization check in component SAP_BASIS 177557 BC-SRV-COM-FTP Update 1 to Security Note 169988 17754 BC-CUS-TOL-NAV Hard-coded credentials in BC-CUS-TOL-NAV 1716 CRM-BCM Potential remote code execution in SAP BCM SIP 16741 BC-SRV-COM-FTP Code injection vulnerability in BC-SRV-COM-FTP 167016 EHS-DGP-TP Missing authorization check when branching to phrase mgmt 16857 BC-XI-IBF Directory Traversal in Exportability Check Servlet 1784770 BI-RA-CR Unauthorized modification of displayed content in CR Server 179499 XX-PROJ-FI-CA Potential information disclosure relating to FI-CA 17708 BC-SRV-BAL Hard-coded credentials in BC-SRV-BAL 176567 BC-ESI-UDDI Unauthorized modification of displayed content in ESREGBASIC 1761018 BC-COM-WIK Unauthorized modification of stored content in BC-COM-WIK 1748669 BC-SRV-KPR-CS Potential information disclosure relating to ContentServer 1799 BC-CCM-MON Untrusted XML input parsing possible in GRMG 17590 BC-CCM-MON Untrusted XML input parsing possible in GRMG 159756 SCM-APO-FCS-MAP Missing authorization check in SCM-APO-FCS-MAP 141864 BW-BEX-ET-XC Redirection of Web site in Xcelsius may be incorrect

Layer Seven Security empowers organisations to realize the potential of SAP systems. We serve customers worldwide to secure systems from cyber threats. We take an integrated approach to build layered controls for defense in depth Address Westbury Corporate Centre Suite 101 75 Upper Middle Road Oakville, Ontario L6H 0C, Canada Web www.layersevensecurity.com Email info@layersevensecurity.com Telephone 1 888 995 099

Copyright Layer Seven Security 01 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback