Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1298433-21)
SAP Support Packages
(SAP_KERNEL_46D_EXT_64_BIT_999999_999999, SAP_KERNEL_46D_EXT_64_BIT_SP2508_002508, SAP_KERNEL_46D_EXT_64_BIT_SP2523_002523, SAP_KERNEL_46D_EXT_64_BIT_SP2527_002527, SAP_KERNEL_46D_EXT_64_BIT_SP999999_999999, SAP_KERNEL_640_32_BIT_999999_999999, SAP_KERNEL_640_32_BIT_SP317_000317, SAP_KERNEL_640_32_BIT_SP999999_999999, SAP_KERNEL_640_32_BIT_UNICODE_999999_999999, SAP_KERNEL_640_32_BIT_UNICODE_SP317_000317, SAP_KERNEL_640_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_640_64_BIT_999999_999999, SAP_KERNEL_640_64_BIT_SP317_000317, SAP_KERNEL_640_64_BIT_SP999999_999999, SAP_KERNEL_640_64_BIT_UNICODE_999999_999999, SAP_KERNEL_640_64_BIT_UNICODE_SP317_000317, SAP_KERNEL_640_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_640_EX2_32_BIT_999999_999999, SAP_KERNEL_640_EX2_32_BIT_SP317_000317, SAP_KERNEL_640_EX2_32_BIT_SP999999_999999, SAP_KERNEL_640_EX2_32_BIT_UC_999999_999999, SAP_KERNEL_640_EX2_32_BIT_UC_SP317_000317, SAP_KERNEL_640_EX2_32_BIT_UC_SP999999_999999, SAP_KERNEL_640_EX2_64_BIT_999999_999999, SAP_KERNEL_640_EX2_64_BIT_SP317_000317, SAP_KERNEL_640_EX2_64_BIT_SP999999_999999, SAP_KERNEL_640_EX2_64_BIT_UC_999999_999999, SAP_KERNEL_640_EX2_64_BIT_UC_SP317_000317, SAP_KERNEL_640_EX2_64_BIT_UC_SP999999_999999, SAP_KERNEL_700_32_BIT_999999_999999, SAP_KERNEL_700_32_BIT_SP241_000241, SAP_KERNEL_700_32_BIT_SP253_000253, SAP_KERNEL_700_32_BIT_SP999999_999999, SAP_KERNEL_700_32_BIT_UNICODE_999999_999999, SAP_KERNEL_700_32_BIT_UNICODE_SP241_000241, SAP_KERNEL_700_32_BIT_UNICODE_SP253_000253, SAP_KERNEL_700_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_700_64_BIT_999999_999999, SAP_KERNEL_700_64_BIT_SP241_000241, SAP_KERNEL_700_64_BIT_SP253_000253, SAP_KERNEL_700_64_BIT_SP999999_999999, SAP_KERNEL_700_64_BIT_UNICODE_999999_999999, SAP_KERNEL_700_64_BIT_UNICODE_SP241_000241, SAP_KERNEL_700_64_BIT_UNICODE_SP253_000253, SAP_KERNEL_700_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_701_32_BIT_999999_999999, SAP_KERNEL_701_32_BIT_SP090_000090, SAP_KERNEL_701_32_BIT_SP171_000171, SAP_KERNEL_701_32_BIT_SP999999_999999, SAP_KERNEL_701_32_BIT_UNICODE_999999_999999, SAP_KERNEL_701_32_BIT_UNICODE_SP090_000090, SAP_KERNEL_701_32_BIT_UNICODE_SP171_000171, SAP_KERNEL_701_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_701_64_BIT_999999_999999, SAP_KERNEL_701_64_BIT_SP090_000090, SAP_KERNEL_701_64_BIT_SP171_000171, SAP_KERNEL_701_64_BIT_SP999999_999999, SAP_KERNEL_701_64_BIT_UNICODE_999999_999999, SAP_KERNEL_701_64_BIT_UNICODE_SP090_000090, SAP_KERNEL_701_64_BIT_UNICODE_SP171_000171, SAP_KERNEL_701_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_710_32_BIT_999999_999999, SAP_KERNEL_710_32_BIT_SP186_000186, SAP_KERNEL_710_32_BIT_SP999999_999999, SAP_KERNEL_710_32_BIT_UNICODE_999999_999999, SAP_KERNEL_710_32_BIT_UNICODE_SP186_000186, SAP_KERNEL_710_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_710_64_BIT_999999_999999, SAP_KERNEL_710_64_BIT_SP186_000186, SAP_KERNEL_710_64_BIT_SP999999_999999, SAP_KERNEL_710_64_BIT_UNICODE_999999_999999, SAP_KERNEL_710_64_BIT_UNICODE_SP186_000186, SAP_KERNEL_710_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_711_32_BIT_999999_999999, SAP_KERNEL_711_32_BIT_SP073_000073, SAP_KERNEL_711_32_BIT_SP999999_999999, SAP_KERNEL_711_32_BIT_UNICODE_999999_999999, SAP_KERNEL_711_32_BIT_UNICODE_SP073_000073, SAP_KERNEL_711_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_711_64_BIT_999999_999999, SAP_KERNEL_711_64_BIT_SP073_000073, SAP_KERNEL_711_64_BIT_SP999999_999999, SAP_KERNEL_711_64_BIT_UNICODE_999999_999999, SAP_KERNEL_711_64_BIT_UNICODE_SP073_000073, SAP_KERNEL_711_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_720_32_BIT_999999_999999, SAP_KERNEL_720_32_BIT_SP034_000034, SAP_KERNEL_720_32_BIT_SP999999_999999, SAP_KERNEL_720_32_BIT_UNICODE_999999_999999, SAP_KERNEL_720_32_BIT_UNICODE_SP034_000034, SAP_KERNEL_720_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_720_64_BIT_999999_999999, SAP_KERNEL_720_64_BIT_SP034_000034, SAP_KERNEL_720_64_BIT_SP999999_999999, SAP_KERNEL_720_64_BIT_UNICODE_999999_999999, SAP_KERNEL_720_64_BIT_UNICODE_SP034_000034, SAP_KERNEL_720_64_BIT_UNICODE_SP999999_999999)
Описание
This problem is caused by a program error in the kernel. For security reasons, we will not provide any further details about the error.
Enhancement:
This affects all kernel releases.
We adjusted the behavior of the gateway in the first workaround. As a result, however, certain programs could no longer register themselves after you implemented the corrections. These were precisely those programs that connected via a SAProuter. In more general terms, they were the programs that connected via a proxy. Therefore, the kernel correction is activated only when you set an instance profile parameter in a second step (see solution) to ensure that live operation is not impeded after you apply the kernel.
Enhancement:
This affects all kernel releases.
We adjusted the behavior of the gateway in the first workaround. As a result, however, certain programs could no longer register themselves after you implemented the corrections. These were precisely those programs that connected via a SAProuter. In more general terms, they were the programs that connected via a proxy. Therefore, the kernel correction is activated only when you set an instance profile parameter in a second step (see solution) to ensure that live operation is not impeded after you apply the kernel.
Как исправить
Workaround:
If you cannot implement a correction as described below, you can protect your system with a firewall so that only trustworthy hosts are allowed to connect to the SAP gateway and the gateway is allowed to connect to trustworthy hosts only.
Programs that set up a connection with the gateway from a remote host must use a connection that is secured via Secure Network Communication (SNC) to prevent the data stream from being manipulated. You can use the following solutions for this:
You can use a connection between two SAProuters that is secured via SNC and covers the Wide Area Network (WAN) part of the connection.
You can use a virtual private network (VPN) tunnel that covers the WAN part of the connection.
Error correction:
Apply the highest kernel patch that is relevant for your kernel release, which can be found in the "SP Patch Level" section. You must also set the parameter
gw/reg_no_conn_info
to activate the increased security. (Caution: By setting the parameter, you can also make other security-relevant settings, see Note 1444282.)
The following patch levels are required for Kernel Releases 31I-45B:
31I: 784
40B: 1073
45B: 1004
For information about downloading Kernel Releases 31I-45B, see Note 52505 "Support after end of mainstream/extended maintenance".
If you cannot implement a correction as described below, you can protect your system with a firewall so that only trustworthy hosts are allowed to connect to the SAP gateway and the gateway is allowed to connect to trustworthy hosts only.
Programs that set up a connection with the gateway from a remote host must use a connection that is secured via Secure Network Communication (SNC) to prevent the data stream from being manipulated. You can use the following solutions for this:
You can use a connection between two SAProuters that is secured via SNC and covers the Wide Area Network (WAN) part of the connection.
You can use a virtual private network (VPN) tunnel that covers the WAN part of the connection.
Error correction:
Apply the highest kernel patch that is relevant for your kernel release, which can be found in the "SP Patch Level" section. You must also set the parameter
gw/reg_no_conn_info
to activate the increased security. (Caution: By setting the parameter, you can also make other security-relevant settings, see Note 1444282.)
The following patch levels are required for Kernel Releases 31I-45B:
31I: 784
40B: 1073
45B: 1004
For information about downloading Kernel Releases 31I-45B, see Note 52505 "Support after end of mainstream/extended maintenance".
Ссылки