• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1394100

Главная Специалистам База уязвимостей Не установлено обновление Note 1394100

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1394100-3)
Описание
If the service "/sap/bc/soap/rfc" is activated in transaction "SICF", it  is possible to access remote-enabled function modules in the ABAP system  if the user has the relevant authorizations (see Note 93254).

This may lead to a security risk for ABAP systems in internet or  intranet scenarios (also see the standard passwords in Note 40689).

Also refer to Note 626073.
Как исправить
Check whether the service in your landscape is used for particular software solutions. If not, the following applies:
For releases higher than 610: Deactivate the service "/sap/bc/soap/rfc" in transaction SICF.
For Release 610: In the "SAP Authorization" field on the "Service Data" tab page, maintain an authorization value for the service "/sap/bc/soap/rfc", to which no user in the system is assigned. For more information about this, refer to the input help of the field.
If the use of this service is not known, you can find this out by analyzing the ICMan server log, for example. When ICMan logging is activated, you will find the server log entries in transaction "SMICM" -> "Goto" -> "HTTP Log". The documentation of the ICMan server log is on the SAP Help Portal, for example, for Release 620 at:
In German: "http://help.sap.com/saphelp_webas620/helpdata/de/73/b5f99d019f11d5991400508b6b8b11/content.htm".
In English: "http://help.sap.com/saphelp_webas620/helpdata/en/73/b5f99d019f11d5991400508b6b8b11/content.htm".
If the service "/sap/bc/soap/rfc" is used in your landscape for software solutions, check whether the authorizations that have been defined for the user that is used in the solution are restrictive enough.

As of Web Application Server 640 (that is, SAP NetWeaver 2004), use the Web Service Framework. For more information about migration, see "http://service.sap.com/connectors" -> "SOAP Processor" -> "Media Library" -> PDF document "SOAP Migration Guide 6.20 to 6.40". Among other things, the migration enables a dedicated activation or deactivation for each Web Service entry in the "SICF" transaction under "/sap/bc/srt".
Ссылки