Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1475075-8)
SAP Support Packages
(SAPKITL435)
Описание
This problem is caused by an SQL injection week spot. In the source code, an SQL statement is assembled from strings. An attacker can obtain control of the contents of a substring. The resulting total statement can be manipulated and therefore all SQL commands can be executed with the rights of the database user who is logged on.
Как исправить
This enhancement is integrated automatically as of SAP Solution Manager 7.01 Support Package 25.
For Support Packages lower than Support Package 25, proceed as follows:
1. Create the SECURITY log object
First use transaction SLG0 (for maintaining log objects), to create a subobject SECURITY with the subobject text "Log for SMSY Security Handling" for the object SMSY_LOG_OBJ.
2. Extend the SMSY options
2.1 Extend the SMSY_OPTION domain
Call transaction SE11 "ABAP Dictionary". Select "Domain" and enter SMSY_OPTION. Choose "Change". Go to the "Value Range" tab page and enter the following new option values at the end of the table:
Fix.Val. Short Descript.
SCUEXC_DIS Deactivation of the security check exception
SCULOG_ENA Activation of the security check log
Save and activate your changes.
2.2 Include the new domain values in SMSY_OPTIONS
Call transaction SM30 "Maintain Table Views: Initial Screen". Enter SMSY_OPTIONS in the "Table/View" field and choose "Maintain". Choose "New Entries".
Make sure that the horizontal scrollbar of the table is completely to the left and that you can see the first two columns of the table.
Fill the two new rows with the corresponding values as follows:
Column 1: Select the value SMSY_OPTIONS (Deactivation of the security check exception) using the input help.
Column 2: Manually enter the description "Deactivation of the security check exception".
Column 3: <Leave empty>
Column 4 and 5: Select the checkboxes.
Column 1: Select the value SCULOG_ENA (Activation of the security check log) using the input help.
Column 2: Manually enter the description "Activation of the security check log".
Column 3: Enter the value "X" here.
Column 4 and 5: Select the checkboxes.
Save the options that you have added.
2.3 Additional procedure and explanations of the security enhancements
Implement the attached correction instructions.
After you implement the corrections, the security checks in the SMSY landscape are active immediately and processing terminates if there is a security vulnerability. In addition, an application log is updated if there is a security vulnerability. You can use transaction SLG1 (Analyze Application Log) to display this log using the following object that was created previously:
Object: SMSY_LOG_OBJ - Log Object of System Landscape
Subobject: SECURITY - Log for SMSY Security Handling
Deactivating the log update
You can deactivate the log update by accessing the SMSY by following the menu options "Goto -> Setup System Landscape Maintenance -> Edit Menu -> Expert Settings" to set the value of the option for activating the security check log from "X" to empty.
Deactivating the security checks
You can deactivate the security checks by accessing the SMSY by following the menu options "Goto -> Setup System Landscape Maintenance -> Edit Menu -> Expert Settings" to set the value of the option for deactivating the security check exceptions from empty to "X".
Note that when you do this, security checks are no longer carried out and an attacker will be able to access and change saved data in the Solution Manager (transaction SMSY).
For Support Packages lower than Support Package 25, proceed as follows:
1. Create the SECURITY log object
First use transaction SLG0 (for maintaining log objects), to create a subobject SECURITY with the subobject text "Log for SMSY Security Handling" for the object SMSY_LOG_OBJ.
2. Extend the SMSY options
2.1 Extend the SMSY_OPTION domain
Call transaction SE11 "ABAP Dictionary". Select "Domain" and enter SMSY_OPTION. Choose "Change". Go to the "Value Range" tab page and enter the following new option values at the end of the table:
Fix.Val. Short Descript.
SCUEXC_DIS Deactivation of the security check exception
SCULOG_ENA Activation of the security check log
Save and activate your changes.
2.2 Include the new domain values in SMSY_OPTIONS
Call transaction SM30 "Maintain Table Views: Initial Screen". Enter SMSY_OPTIONS in the "Table/View" field and choose "Maintain". Choose "New Entries".
Make sure that the horizontal scrollbar of the table is completely to the left and that you can see the first two columns of the table.
Fill the two new rows with the corresponding values as follows:
Column 1: Select the value SMSY_OPTIONS (Deactivation of the security check exception) using the input help.
Column 2: Manually enter the description "Deactivation of the security check exception".
Column 3: <Leave empty>
Column 4 and 5: Select the checkboxes.
Column 1: Select the value SCULOG_ENA (Activation of the security check log) using the input help.
Column 2: Manually enter the description "Activation of the security check log".
Column 3: Enter the value "X" here.
Column 4 and 5: Select the checkboxes.
Save the options that you have added.
2.3 Additional procedure and explanations of the security enhancements
Implement the attached correction instructions.
After you implement the corrections, the security checks in the SMSY landscape are active immediately and processing terminates if there is a security vulnerability. In addition, an application log is updated if there is a security vulnerability. You can use transaction SLG1 (Analyze Application Log) to display this log using the following object that was created previously:
Object: SMSY_LOG_OBJ - Log Object of System Landscape
Subobject: SECURITY - Log for SMSY Security Handling
Deactivating the log update
You can deactivate the log update by accessing the SMSY by following the menu options "Goto -> Setup System Landscape Maintenance -> Edit Menu -> Expert Settings" to set the value of the option for activating the security check log from "X" to empty.
Deactivating the security checks
You can deactivate the security checks by accessing the SMSY by following the menu options "Goto -> Setup System Landscape Maintenance -> Edit Menu -> Expert Settings" to set the value of the option for deactivating the security check exceptions from empty to "X".
Note that when you do this, security checks are no longer carried out and an attacker will be able to access and change saved data in the Solution Manager (transaction SMSY).
Ссылки