Layer Seven Security ADVISORY. SAP Security Notes

Similar documents
Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Layer Seven Security ADVISORY

Disclosure Management US SEC. Preview

Disclosure Management. Default font on styles in Disclosure Management

BC490 ABAP Performance Tuning

EP350. Innovated Content Management and Collaboration COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

Passing Parameters via Web Dynpro Application

BC100. Introduction to Programming with ABAP COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

Obtain Configuration Parameters for LPD_CUST Provide the base path of your BSP application (1/2)

UI Changes for SAP Portfolio and Project Management Depending on NW Release

ADM960. SAP NetWeaver Application Server Security COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day

NET311. Advanced Web Dynpro for ABAP COURSE OUTLINE. Course Version: 10 Course Duration: 4 Day(s)

ADM100 AS ABAP - Administration

Testing Your New Generated SAP NetWeaver Gateway Service

ADM900 SAP System Security Fundamentals

ADM920 SAP Identity Management

BC400 Introduction to the ABAP Workbench

Message Alerting for SAP NetWeaver PI Advanced Adapter Engine Extended

GRC100. GRC Principles and Harmonization COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)

EP200. SAP NetWeaver Portal: System Administration COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

TBIT40 SAP NetWeaver Process Integration

SAP BusinessObjects Explorer API Guide SAP BusinessObjects Explorer XI 3.2 SP2

Business Objects Integration Scenario 2

BC400. ABAP Workbench Foundations COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

BC404. ABAP Programming in Eclipse COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

BC410. Programming User Dialogs with Classical Screens (Dynpros) COURSE OUTLINE. Course Version: 10 Course Duration: 3 Day(s)

SAP Fiori Toolkit. Marc Anderegg, RIG, SAP February, Provided by Rapid Innovation Group (RIG)

Crystal Reports 2008 FixPack 2.4 Known Issues and Limitations

Duplicate Check and Fuzzy Search for Accounts and Contacts. Configuration with SAP NetWeaver Search and Classification (TREX) in SAP CRM WebClient UI

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

SAP NetWeaver Identity Management Identity Center Minimum System Requirements

How the Standard Integration between SAP EM and SAP TM Can Be Tested with SE37

SAP BusinessObjects Dashboards 4.0 SAP Crystal Dashboard Design 2011 SAP Crystal Presentation Design 2011

Moving BCM to different IP range

BW Workspaces Data Cleansing during Flat File Upload

BC405 Programming ABAP Reports

How to Integrate Microsoft Bing Maps into SAP EHS Management

Configuring relay server in Sybase Control Center

ADM950. Secure SAP System Management COURSE OUTLINE. Course Version: 10 Course Duration: 2 Day(s)

Visual Composer for SAP NetWeaver Composition Environment - Connectors

Building a Real-time Dashboard using Xcelsius and Data Integrator

BC480 PDF-Based Print Forms

SAP BusinessObjects Predictive Analysis 1.0 Supported Platforms

BC430 ABAP Dictionary

Introduction to BW Workspaces and its usage with SAP BusinessObjects BI Tools

How to reuse BRFplus Functions Similar to R/3 Function Modules using BRF+ Expression Type Function Call

Crystal Reports Family of Offerings

How to Use a Customer Specific UIBB in MDG Application 'Create Change Request' Author: Matthias Hubert Company: SAP Created on 5th July 2013

How to Find Suitable Enhancements in SAP Standard Applications

SAP BusinessObjects Dashboard Design Component SDK Installation Guide

SMP541. SAP Mobile Platform 3.0 Native and Hybrid Application Development COURSE OUTLINE. Course Version: 15 Course Duration: 5 Day(s)

SAP Directory Content Migration Tool

Visual Composer Modeling: Migrating Models from 7.1.X to 7.2.0

Visual Composer Modeling: Data Validation in the UI

SMP521. SAP Mobile Platform - Native and Hybrid Application Development COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

DEV523 Customizing and Extending PowerDesigner

AFA461 SAP Afaria 7.0 System Administration (SP03)

SAP Plant Connectivity 2.2

SAP Security. BIZEC APP/11 Version 2.0 BIZEC TEC/11 Version 2.0

Managing Substitutions in My Inbox 2.0 app

How to Configure Fiori Launchpad and Web Dispatcher to Support SAML2 Using SAP Identity Provider Step-by-Step

Cache Settings in Web Page Composer

Using Xcelsius 2008 with SAP NetWeaver BW

BIT460. SAP Process Integration Message Mapping COURSE OUTLINE. Course Version: 15 Course Duration: 3 Day(s)

BW310. BW - Enterprise Data Warehousing COURSE OUTLINE. Course Version: 10 Course Duration: 5 Day(s)

OData Service in the SAP Backend System for CRUDQ Operations in Purchase Order Scenario

A Sample PhoneGap Application Using SUP

CREATION AND CONFIGURATION OF WEB SERVICE FROM RFC AND DEPLOYMENT IN ANOTHER SYSTEM

AC507. Additional Functions of Product Cost Planning COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

EWM125. Labor Management in SAP EWM COURSE OUTLINE. Course Version: 16 Course Duration: 4 Hours

Best Practices Using KMC Capabilities in an External Facing Portal Version 1.00 October 2006

Upgrade MS SQL 2005 to MS SQL 2008 (R2) for Non-High-Availability NW Mobile ABAP System

SAP AddOn Quantity Distribution. by Oliver Köhler, SAP Germany

How to Integrate Google Maps into a Web Dynpro ABAP Application Using the Page Builder

Single Sign-on For SAP NetWeaver Mobile PDA Client

Duet Enterprise: Tracing Reports in SAP, SCL, and SharePoint

Visual Composer - Task Management Application

Configure UD Connect on the J2EE Server for JDBC Access to External Databases

SAP BusinessObjects Integration Option for Microsoft SharePoint Getting Started Guide

TBIT44 PI Mapping and ccbpm

Visual Composer s Control Types

Preventing vulnerabilities in HANAbased MARCH TROOPERS SECURITY CONFERENCE

PLM210. Master Data Configuration in SAP Project System COURSE OUTLINE. Course Version: 15 Course Duration: 2 Day(s)

Manual Activities of SAP Note Globalization Services, 2012/06/05

Transcription:

Layer Seven Security ADVISORY SAP Security Notes August 2017

Note 2381071 patches a critical cross-site Ajax vulnerability in the Prototype JS library of BusinessObjects. Ajax is a method often used by JavaScripts to exchange data between servers and clients to update parts of web pages without refreshing or reloading entire pages. This minimizes network bandwidth usage and also improves response times through rapid operations. Ajax is an acronym for Asynchronous JavaScript and XML since it s applied via XmlHttpRequest objects that interact dynamically with servers using JavaScript. XMLHttpRequest objects call server-side objects like pages and web services. Browsers commonly apply a same-origin policy that prevent pages from accessing external resources that have a different scheme, hostname or port than existing pages. However, same-origin policies can be bypassed using procedures such as cross-origin resource sharing. This could be exploited to transmit or load sensitive data to/ from malicious servers. The cross-site Ajax request vulnerability addressed by Note 2381071 applies to versions 4.0 4.2 of BusinessObjects. Corrections are included in the patch levels for each relevant support package. SAP Security Notes August 2017 Note 2486657 deals with a high-risk directory traversal vulnerability in the NetWeaver AS Java Web Container. The Web Container is a component of the J2EE Engine and provides the runtime environment for Java applications including servlets and BSPs.

Cross-Site Scripting Authorization Check SQL Injection Cross-Domain Redirection Other Directory Traversal Denial of Service Cross-Site Request Forgery Code Injection 0% 5% 10% 15% 20% 25% 30% SAP Security Notes by Vulnerability Type It receives HTTP requests from clients via the AS Java dispatcher. The requests are processed by applications in the Web Container to access business objects in the EJB Container. Note 2486657 improves input validation for file paths to prevent applications using the Servlet API exposing resources in parent directories or other directories outside the application context. Other important notes include Notes 2376081, 2423540, 2524134 and 2280932 that patch a code injection vulnerability impacting iviews in Visual Composer, a URL redirection vulnerability in the SAP NetWeaver Logon Application, and a missing authorization check in the Security Provider Service.

Appendix: SAP Security Notes, August 2017 1/2 PRIORITY NOTE AREA DESCRIPTION HIGH 2381071 BI-BIP-BIW Cross-Site AJAX Requests vulnerability in SAP BusinessObjects HIGH 2486657 BC-JAS-WEB Directory Traversal vulnerability in SAP NetWeaver AS Java Web Container HIGH 2376081 EP-VC-04S Code Injection vulnerability in Visual Composer 04s iviews MEDIUM 2524134 BC-JAS-SEC Update 1 to 2423540: URL Redirection Vulnerability in SAP NetWeaver Logon Application MEDIUM 2423540 BC-JAS-SEC URL Redirection Vulnerability in SAP NetWeaver Logon Application MEDIUM 2497027 XX-CSC-BR-NFE Missing Authorization check in XX-CSC-BR-NFE MEDIUM 2132282 BC-BMT-WFM- WEB MEDIUM 2189781 BC-FES-BUS- HTM Potential denial of service in BC-BMT-WFM-WEB Unauthorized modification of displayed content in NWBC for HTML MEDIUM 2280932 BC-JAS-SEC-LGN Missing Authorization Check in Security Provider Service MEDIUM 2271802 CRM-MKT-EAL Switchable authorization checks for RFC in External List Management (CRM- MKT-EAL) MEDIUM 2453642 BW-SYS-DB-DB2 SQL Injection vulnerability in SAP NetWeaver MEDIUM 2450979 CA-WUI-UI SQL Injection vulnerability in SAP CRM WebClient User Interface MEDIUM 2493099 SRM-LA Multiple Security Vulnerabilities in SAP SRM Live Auction Application MEDIUM 2499109 BC-JAS-SEC-CPG Collisions during UUID generation in SAP NetWeaver Java Server MEDIUM 2392719 XX-PART-ADB- IFM Potential Denial of Service vulnerability in Adobe Document Services MEDIUM 2494184 BC-SYB-SQA Cross-Site Request Forgery (CSRF) vulnerability in multiple SAP Sybase products MEDIUM 2481262 CRM-BF-CFG Cross-Site Scripting (XSS) vulnerability in SAP CRM IPC Pricing MEDIUM 2428512 BI-RA-WBI-FE- HTM Server-Side Request Forgery (SSRF) vulnerability in Web Intelligence BI Launchpad MEDIUM 2425744 CA-WUI-UI Cross-Site Scripting (XSS) vulnerability in SAP CRM WebClient UI MEDIUM 2417020 BC-FES-BUS- HTM Cross-Site Scripting (XSS) vulnerability in SAP NetWeaver Business Client for HTML

Appendix: SAP Security Notes, August 2017 2/2 PRIORITY NOTE AREA DESCRIPTION MEDIUM 2393021 BC-WD-CLT-FLX Adobe SDK XSS vulnerability - Flex MEDIUM 1786732 XX-CSC-BR Directory traversal in J1BA LOW 2491763 GRC-SAC-ARA SQL Injection vulnerability in GRC Access Controls LOW 2463354 BC-DWB-TOO- CLA LOW 2394536 EP-PIN-WPC- WCM Missing Authorization check in the ABAP Workbench tools URL Redirection vulnerability in SAP NetWeaver K.M. Web Page Composer

Layer Seven Security serve customers worldwide to harden, patch and monitor SAP systems against cyber threats using SAP Solution Manager Address 99 Hudson Street 5th Floor New York, NY 10013 United States Web www.layersevensecurity.com Email info@layersevensecurity.com Telephone 1-647-964-7370

Copyright Layer Seven Security 2017 - All rights reserved. No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security. Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards. This publication contains references to the products of SAP AG. SAP, R/3, xapps, xapp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries. SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback