P. 1
sapnote_0000888889

sapnote_0000888889

|Views: 413|Likes:
Published by Manish Sachan

More info:

Published by: Manish Sachan on May 04, 2011
Copyright:Attribution Non-commercial

Availability:

Read on Scribd mobile: iPhone, iPad and Android.
download as PDF, TXT or read online from Scribd
See more
See less

07/03/2013

pdf

text

original

SAP Note 888889 Automatic checks for security notes using RSECNOTE

Note Language: English Version: 14 Validity:
Valid Since 30.04.2010

Summary
Symptom
The SAP EarlyWatch Alert report contains selected checks about "Security". Among other things, there is a check to determine whether or not selected and required security-relevant notes or HotNews have been implemented in the system. The report displays an overall status. An administrator uses the tool RSECNOTE to create the detailed evaluation of the required security-relevant notes in the system to be analyzed. This note responds to the following situations: o In the SAP EarlyWatch Alert report, the "Service Preparation Check" unit complains that Note 888889 is not implemented. As a result, the check for security-relevant notes can only be carried out partially in the "Security" section. You want to use the tool RSECNOTE to check the implementation status of security-relevant notes in your system. However, this tool is not yet available in your system. You require detailed information on implementing and executing the tool RSECNOTE, and on interpreting the results. You call transaction ST13. In the F4 help for the "Tool Name" field, the entry RSECNOTE is missing. If you manually enter RSECNOTE and then execute it, the system issues the message "The tool RSECNOTE does not exist". The tool RTCCTOOL shows that the tool RSECNOTE is missing.

o

o

o

o

Other terms
EarlyWatch Alert, EWA, security, RSECNOTE, RTCCTOOL, ST13

Reason and Prerequisites
The tool RSECNOTE is part of the software component ST-A/PI as of Release 01M_*. Correction instructions are available for the installation in Release 01L_*. As of Support Package 3 for the Service Content Plug-In ST-SER 701_2008_2, various services in the Solution Manager require the tool RSECNOTE on the managed system to check whether or not security-relevant notes are implemented. The service report shows that this tool is missing and makes reference to this present Note 888889.

Solution
Below you will find: - a guide to implementing the tool RSECNOTE - documentation on using the tool and information about the background and further procedures

17.03.2011

Page 1 of

10

Install the tool RSECNOTE in all systems in which you want to use the tool. As a result of the tool RSECNOTE. The report shows the following three sections: o "Missing recommendations" This section shows the required security-relevant SAP Notes and HotNews. HotNews are flagged with a red traffic light and notes are flagged with a yellow traffic light. Enter /SSA/RTC if you are asked to specify a main program for /SSA/INT. In transaction ST13. See Note 69455 for more information. Documentation for the tool RSECNOTE You use transaction ST13 to start the tool RSECNOTE. SAP_BASIS Release 700 and subsequent releases. implement the corrections manually and confirm the message. "Successfully implemented recommendations" Page 2 of 10 o o 17. notes that contain security corrections and notes that are relevant for your system due to the existing software components (taking the releases and the Support Packages into account) are displayed.2011 . In this case. Comment: As of SAP_BASIS Release 620 Support Package 55. Object S_TCODE S_ADMI_FCD S_PTCH_ADM Field TCD S_ADMI_FCD TABLE COMPONENT ACTVT Value ST13 ST0R ' (or empty) SECURITY-CHECK 02 (change) 2. /SSA/. Go to "System Change Option" in transaction SE06 and set the software component ST-A/PI and the namespaces/name ranges "General SAP Name Range".SAP Note 888889 Automatic checks for security notes using RSECNOTE Guide for creating the tool RSECNOTE 1. You can also install the tool RSECNOTE in Release 01L_* by implementing the correction instructions using transaction SNOTE. and /SSF/ to "Modifiable". select the tool and start it by choosing "Execute" or F8. For example: You cannot implement a specific note using transaction SNOTE because you manually changed the affected program beforehand. for example. you can also start the tool as the report RSECNOTE by using transaction SA38. "Manually confirmed recommendations" Report messages can also be confirmed manually. SAP_BASIS Release 640 Support Package 13. Assign the following authorizations to all the users for whom you want to provide access to the tool. This should only happen in exceptional cases that require it. SAP recommends that you install Release 01M_* of the software component ST-A/PI.03.

the system checks only that at least the required kernel patch is installed. If the system to be checked does not have an online connection to SAPNet. List of security-relevant notes that are checked The tool RSECNOTE checks security-relevant notes or HotNews that are entered as related notes in this present note. which contains the recommendations for the tool RSECNOTE for the specified date. This means that all recommendations are selected. Note Assistant You can use the Note Assistant (transaction SNOTE) to implement the correction instructions. including the recommendations for the tools RTCCTOOL and RSECNOTE.SAP Note 888889 Automatic checks for security notes using RSECNOTE This section shows the security-relevant notes and HotNews that are required for the system and that are implemented successfully. You can also use the tool RSECNOTE to update the list manually (menu path: List -> Refresh from SAPNet). You can find additional information about the Note 17. During a check. however. Enter ND* as the table key. It does not check whether the gateway has also been safeguarded.com/securitynotes). Make sure that you have specified a table key.sap. see Note 863362. An overview of other security-relevant notes or HotNews is provided on the SAP Service Marketplace under the quick link /SECURITYNOTES (https://service. After the system is upgraded or Support Packages are imported. For further information on the SAP EarlyWatch Alert report.2011 Page 3 of 10 . to update the recommendations.03. EarlyWatch Alert report The SAP EarlyWatch Alert report also provides a summary of the results of the tool RSECNOTE. Use the transport files contained in it if you do not have any systems that have an online connection to SAPNet. Start the tool RTCCTOOL or RSECNOTE before you export the transport request. For Note 1298433 "Security note: Bypassing security in reginfo & secinfo". a note that was implemented earlier may no longer be listed.zip. a system loads the list automatically using the service connection to SAPNet once a day. To do this. A note or a HotNews is no longer required if your system release or Support Package level already contains the correction. Attached to this note is the file Transport_Files_<date>. Updating recommendations The quantity of checked notes or HotNews is managed online by SAP. then you can also use a transport to import the current recommendations from another system that has a connection to SAPNet. create a "Transport of Copies" and enter the object key R3TR TABU /SSF/PTAB.

03.SAP Note 888889 Automatic checks for security notes using RSECNOTE Assistant on SAP Service Marketplace under the quick link /NOTE-ASSISTANT (https://service.sap.2010 07:08:40 German Recommendations/additional info Advance development SV-SMG-SER SAP Support Services Valid Releases Software Component ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI Release BASIS_46B BASIS_46C BASIS_46D BASIS_610 BASIS_620 BASIS_640 R3_40B R3_45B R3_46B R3_46C R3_470 APO_30A APO_310 SCM_400 BBPCRM_30 0 From Release 01L_BCO46 B 01L_BCO46 C 01L_BCO46 D 01L_BCO61 0 01L_BCO62 0 01L_BCO64 0 01L_R3_40 B 01L_R3_45 B 01L_R3_46 B 01L_R3_46 C 01L_R3_47 0 01L_APO30 A 01L_APO31 0 01L_SCM40 0 01L_CRM30 0 To Release 01M_BCO46 B 01M_BCO46 C 01M_BCO46 D 01M_BCO61 0 01M_BCO62 0 01M_BCO64 0 01M_R3_40 B 01M_R3_45 B 01M_R3_46 B 01M_R3_46 C 01M_R3_47 0 01M_APO30 A 01M_APO31 0 01M_SCM40 0 01M_CRM30 0 and Subsequent 17. Header Data Release Status: Released on: Master Language: Priority: Category: Primary Component: Secondary Components: XX-INT-SR Security Response Released for Customer 03.com/note-assistant).2011 Page 4 of 10 .05.

Missing authorization check in Cash Management Missing Authorization Check Missing Authorization Check in SW-Delivery tools Update #1 to Security Note 1436936 Missing authorization check in WebReporting Update #1 for Note 587410: Missing Authorization Check SE37 Potential information disclosure by the message server Missing authorization check in CATT or eCATT Fixing directory traversal vulnerabilities Potential disclosure and modification of code and data Unauthorized call of operating system command RFC call cat_r2_tab_res without authorization Directory Traversal in ABAP-Debugger-Utilities Directory Traversal in Report RSDBGENA Missing Authorization Check in AP-PPE-SCM 17.2011 Page 5 of 10 .03. Missing Authorization Check in LO-MAP ALE: Missing authorization check in ALE monitoring tool Missing Authorization Check in Change logs component.SAP Note 888889 Automatic checks for security notes using RSECNOTE Software Component ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI ST-A/PI Release BBPCRM_31 5 BBPCRM_40 0 SCM_410 ECC_500 BASIS_700 ECC_600 SCM_570 BASIS_710 CRM_570 BASIS_720 From Release 01L_CRM31 5 01L_CRM40 0 01L_SCM41 0 01L_ECC50 0 01L_BCO70 0 01L_ECC60 0 01L_SCM57 0 01L_BCO71 0 01L_CRM57 0 01M_BCO72 0 To Release 01M_CRM31 5 01M_CRM40 0 01M_SCM41 0 01M_ECC50 0 01M_BCO70 0 01M_ECC60 0 01M_SCM57 0 01M_BCO71 0 01M_CRM57 0 01M_BCO72 0 and Subsequent Related Notes Number 1561545 1549999 1547271 1538382 1537753 1536491 1536091 1533470 1531669 1530392 1528863 1528822 1525695 1525328 1523808 1521786 1520781 1520462 1520043 1518682 1514385 1513952 Short Text Update #2 to Security Note 1531669 Missing authorization check in the workflow analysis Missing authorization check in RFC with call transaction Potential modification of persisted data in Business Config.

Directory traversal in CRM_EDR_UPLOAD_DATA/-DOWNLOAD_DATA Unauthorized change of displayed contents in IUBOTRCP Unauthorized change of displayed contents in CRM_ITIC Unauthorized change to data displayed in BPS planning Potential disclosure and modification of persisted data Hard-coded credentials in RFBYPASS Program generator performance RE-FX Potential disclosure and modification of persisted data Missing authority check in SAP_RSADMIN_MAINTAIN EC-PCA: Using FM ZPCA_UPLOAD to load any source code Potential disclosure of DB data in CL_BBP_PERSIST_EVENT_CONT Unauthorized modification of displayed content in ROS Executing any source code in CO-PC reporting FPE2M: Missing Authorization Check Unauthorized modification of stored content in signature BSP 17..SAP Note 888889 Automatic checks for security notes using RSECNOTE Number 1512134 1511436 1511107 1510704 1507903 1504090 1504016 1503375 1502781 1499051 1498913 1497622 1497104 1496092 1495570 1494046 1493911 1493634 1493516 1493101 1492434 1490437 1488159 1488057 1487330 1487212 1486918 1484930 1484918 1484743 1484712 1484711 1484709 1482118 1481802 1481405 1481254 1480653 1479762 1479310 1478978 1478860 1478756 1478420 1475481 Short Text Unauthorized modification of displayed content in ITS Code injection vulnerability in Relationship and Reliability Executing freely determined code using transaction SE37 Missing Authorization Check in AFX Workbench report Filtering user input when working with MEQUI index table Code injection vulnerability in SCM-APO-PPS Directory Traversal in BC-DOC-DTL ED: Code injection vulnerability in functionality 'Other' Unauthorized modification of displayed content in BSP DBACockpit: Weak authorization checks in SQL Command Editor PFO : Authority check for business object EC-EIS: Loading any source code using FM KXXC_DOWNLOAD Protect access to PSE files by additional AUTHORITY-CHECK Unauthorized read-access to database Security: Execution of any source code Code injection vulnerability in time rule programm Missing Authorization Check in SW-Delivery tools Transaction calls from reporting Correcting buffer overflow in ABAP system call Code injection vulnerability in FERCC001 Executing arbitrary code using report RIWP_VIEW_GENERATE Corrections for ST-PI SUIM RSUSR003 incorrect results for CODVN = 'F' Potential disclosure & modif of persisted data in IS-DFS-BIT Potential remote code execution in SAP Kernel Potential modification or disclosure ofpersisted data PLM-RM Code Injection vulnerability in CRM-ACP-APL Saved data may be disclosed and changed Potential modification of data in IPC Database Interface Hard-coded logon information in CL_CRM_ISU_ORDE..03.2011 Page 6 of 10 .

Hard-coded credentials in Class /FRE/FU_CL_TS_SERVICES Missing authorization check in RFC module Authorization check for transaction calls in program Unsuitable authorization check in transaction SE24 The program contains Hardcoded username Potential modification of persisted data Potential information disclosure relating to WebDynpro ABAP Code injection vulnerability in ECC and SAP R/3 Potential information disclosure relating to ECC and SAP R/3 Potential information disclosure relating to ECC and SAP R/3 Potential information disclosure relating to ECC and SAP R/3 WebReporting: Unauthorized modification of displayed content Missing authorization check in module of upgrade Code injection vulnerability in ECC PT PSM-FM Add-On Logging of configuration changes not enabled Unauthorized modification of displayed content in BSP Code injection vulnerability in ECC and SAP R/3 Function module for reading batch input files CRM Pharma: Log data changes in tables Cross Site Scripting in BSP Cross Site Scripting in BSP Activate configuration logging for DAM tables CTC: Table White Lists and Authorization Checks Program can be used by specific users WDA: Application configurations Security fix for event determination program Potential disclosure of authentication information Information obtainable about Web Dynpro ABAP applications Logon data can be discovered: XSS Authorization check incomplete in XI/PI administration Load balancer reveals backend server information Disable S_TCC_* functions for heightened security 17.modification of persisted data in BRF+.SAP Note 888889 Automatic checks for security notes using RSECNOTE Number 1474853 1473520 1472807 1472395 1470854 1470094 1469982 1469845 1469707 1469549 1466156 1465138 1463392 1463037 1462417 1462348 1460043 1458820 1456569 1453938 1453655 1453605 1453604 1453541 1453457 1453164 1452661 1451581 1450270 1450128 1449574 1449516 1447671 1447622 1446869 1446276 1445407 1443973 1443934 1442580 1442498 1441953 1441945 1440345 1439983 Short Text BCE: Secure Business Content Environment Missing authorization check in coinsurance reporting Hard-coded credentials in BRF Unauthorized change of stored contents (agency collections) Security fix for tools for the Analysis Cockpit Authorization check in report H99_B2AFILE missing Code injection vulnerability in ECC and SAP R/3 Missing authorization check in RMA Saved data may be disclosed and changed RFC: Work processes terminate in the XML parser Missing Authorization Check in a BTE application Change mode in SAT / SE30 "Tips & Tricks" Potential disclosure.2011 Page 7 of 10 .03.

03.SAP Note 888889 Automatic checks for security notes using RSECNOTE Number 1437237 1437224 1436936 1435655 1431790 1431615 1430970 1429954 1429301 1429198 1428998 1428526 1428034 1427914 1427010 1427009 1427008 1426388 1425215 1425123 1425122 1424714 1423936 1423413 1423059 1422737 1422572 1421432 1421005 1420623 1420281 1419261 1418848 1418032 1418031 1417696 1417568 1415665 1415547 1415148 1414444 1414256 1414112 1414089 1414059 Short Text Explicitly coded user names in Web Dynpro RMA: Security standard is not implemented Unauthorized changes can be made to Web Dynpro ABAP session Number of cryptographic bits increased in sap-contextid Security fixes for SRM Legal Contract Authoring Duet applica User-defined message search: Authorization for test Unauthorized executing of functions in Web Dynpro ABAP Hardcoded usernames in SCC Missing authority check in APO transaction Missing authorization check in RSUDO for "Execute as" Missing authority check in Demand Planning transaction Hardcoded usernames in APO CLP: Missing Authorization Checks Security Note : Leftover Debug Code Unauthorized access to source-of-supply determination prgram Unauthorized access to view procurement document Authorization check for SRM Analysis Cockpit Tool Security fixes for SRM DUET PUMA scenario Security Note Missing Authority Check for Call Transaction Missing authority check in BOP Security Note: Generic Table Access Missing Authorization Check in TA /SAPAPO/AMON2 Missing authority check in Supply Chain Cockpit/Engineer Authorization check for FI-CA transactions FP03F/FP03L/FP03H Security Fixes for SRM Analysis Cockpit Tool Directory traversal vulnerability with statistic traces Unauthorized change of displayed contents Security problems due to dynamic SQL Secure configuration of the message server MOpz: Potential information disclosure relating to passwords CO-OM tools: SE16N: Deactivating &SAP_EDIT Error during Credit card Encryption not propagated in TR BP. of displayed content in MIC start page Unauthorized change of contents in CERTREQ and CERTMAP SQL injection in Solution Documentation Assistant Security corrections ST-SER 2008.2011 Page 8 of 10 .2 Missing Input Validation in Business-Explorer sapstartsrv unstable Changing TMSADM password is too complex Security: Buffer overflow Potential disclosure of authentication information in XI Missing authorization check in a BW report 17. Authorization check for S_RFC_ADM in RSRFCPIN and RSRFCCHK Potential Security Issues in SAP Solution Manager Potential Security Issues in SAP Solution Manager Unauthorized modif.

SAP Note 888889 Automatic checks for security notes using RSECNOTE Number 1411818 1411701 1411659 1410798 1409234 1409141 1407896 1407841 1406435 1392352 1388864 1387576 1387574 1375125 1363631 1363371 1362972 1361038 1357370 1355614 1342183 1340457 1339620 1339326 1336947 1335926 1335103 1334396 1334244 1333668 1330776 1329090 1327917 1315883 1310174 1306604 1304803 1302928 1298433 1298160 1294675 1294431 1292875 1287570 1284360 Short Text Handling Authorization concerns due to Note1030838 & 1381945 Generic ABAP function calls Security fixes for SRM SUS. Vendor Evaluation. Security Checks: Model Mix Planning Security note: Files transferrable to EPS inbox w/o auth. Security Note: Deactivate parameter sap-wd-ssrConsole Authorizatn check for transactions FPSEC1/FPSEC2/FPSEC3 RSUSR003: Standard passwords for hash code versions H and I Authority check missing /SAPAPO/MC62 authorization for creating CVCs Security note: Changing a transport without authorization Field Level Authorizations Not Being Checked in CASE Bypassing security in reginfo & secinfo Security note: Forbidden program execution possible Location: Authorization Check for Planning Version Anchor links are generated with unwanted HTTP href address Security note:Cross Site Scripting (XSS) in cFolders BBP_QUOT: Cross-Site Scripting ( XSS ) Security Note: Cross Site Scripting (XSS) in cFolders 17. Arbitrary Value Processing Missing authorization check in FM PRGN_INTERFACE_USER Security note: Cross-site scripting ABAP web services authorization check does not work CO-OM tools: SE16N: Authorization checks in view maintenance Possible SQL injection in Persistence Service Report BEFG_TEMPLATE_CREATE must not be used in production BADI BUPA_F4_AUGRP does not filter BP's in search FS-CD: Missing authorization checks SAPRGEN_CD Industry Solution Migration Workbench: Authorization check Report RJ-JXINI generates unnecessary source code No authorization check for editor IS-M/ PMD: Obsolete source code in master data generator Security information: Transaction FIAAHELP Security Note: Encoding fix for technical hidden fields Security note:Cross Site Scripting (XSS) in cFolders F&R: Remove hardcoded user name branches in code (security) Security correction: Username hard coded Some Fields are susceptible to Cross-site scripting Security correction: removal of hardcoded user names Security Checks: Removal of hardcoded user names Some Fields are susceptible to Cross-site scripting. SRM ROS Missing logging in transactn for totals document correction Security:Actions can be executed/transactions can be started Missing authority check in Data Consistency Framework Missing authority check in Checktool within ECC Dynamic Report Generation.2011 Page 9 of 10 .03.

2011 Page 10 of 10 .03. 01L_S ST-A/PI C GSBK900259 18. Security Note:RSDB2CMD switched to RSBDCOS0 P18:Security Note:RSSM_EXEC_COMMAND converted to RSBDCOS0 Security: External theme root not html escaped Security Note: Passwords in SLD ABAP API Security note: Security problem with FileDownload Cache settings incorrect for WebDynpro ABAP Missing authorization check for hidden functions SOBJ: Display of object directory permits changes Security note: ICF system login Security note: Security gap in Data Browser (SE16) Security note: Missing authorization check for Web services CO-OM Tools: SE16N: Adapting to SE16 Security Note: Check for 'System -> Status' (SE80) Gateway: Bypassing monitor commands Security note: Hijacking/sys. A Postprocessing.05.2009 CM570 13:18:23 B Preprocessing.05. Help Center user name in the URL Prevent "Webadmin" task from system admin Cross Site Scripting:PCUI Stored JavaScript Vulnerability Security Note: Missing SYSLOG entries for ABAP Debugging Missing authority check in APO transaction. M Undefined Work 17.SAP Note 888889 Automatic checks for security notes using RSECNOTE Number 1275278 1271688 1267878 1265043 1262016 1261319 1259881 1259414 1243004 1235367 1232490 1229303 1224599 1170353 1168813 1167258 1161689 1159009 1158063 1151557 1146690 1145873 1143177 1142067 1136823 1136770 1133739 1120760 1115699 1085326 1072946 1060643 1058531 1022102 957038 Short Text Security: HTML Encoding missing over the inputField tooltip Security: Authorization check for technical help Cross-site scripting error in BBP_POC S_TCODE Authority check on T000 by SM30 Missing authority check in APO transaction. Authorization check SE80 for where-used list Security note: Security gap in ACO_BSP_ADMIN WDP: Performance problems or increase in handle consumption Security update: SAP Web Dispatcher Security note: Program DISPLAY_FUNC_INCLUDE Security note: Program RS_REPAIR_SOURCE Security note: aco_bsp_admin: Start only with ICF auth.2009 CM570 13:20:42 01L_S ST-A/PI C GSBK900261 18. login: New login after refresh BBPSC: Cross-site scripting error Executing JavaScripts in logon data Security gap in cross-site scripting Correction Instructions Correcti on Instruct ions 768388 Valid from Valid to Software Component Typ e *) Reference Correction Last Changed 01L_A PO30A 769761 01L_B CO620 *) C Correction.

You're Reading a Free Preview

Download
scribd
/*********** DO NOT ALTER ANYTHING BELOW THIS LINE ! ************/ var s_code=s.t();if(s_code)document.write(s_code)//-->