• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1487606

Главная Специалистам База уязвимостей Не установлено обновление Note 1487606

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1487606-2)
Описание
If the services "/sap/bc/IDoc_XML" (as of Release 6.20) or  "/sap/bc/srt/IDoc" (as of Release 6.40) are activated in transaction  SICF, you can send IDocs to the SAP system and process them if the user that you use has the relevant authorizations.

This may lead to a security risk for ABAP systems in internet or  intranet scenarios (also see the standard passwords in Note 40689).
Как исправить
Check whether these services in your landscape are used for particular software solutions. If not, deactivate the services "/sap/bc/IDoc_XML" (as of Release 6.20) or "/sap/bc/srt/IDoc" (as of Release 6.40) in transaction SICF.

If the use of this service is not known, you can find this out by analyzing the ICMan server log, for example. When ICMan logging is activated, you will find the server log entries in transaction "SMICM" -> "Goto" -> "HTTP Log". The documentation of the ICMan server log is on the SAP Help Portal, for example, for Release 620 at:
In German: "http://help.sap.com/saphelp_webas620/helpdata/de/73/b5f99d019f11d5991400508b6b8b11/content.htm".
In English: "http://help.sap.com/saphelp_webas620/helpdata/en/73/b5f99d019f11d5991400508b6b8b11/content.htm".

If the services "/sap/bc/IDoc_XML" or "/sap/bc/srt/IDoc" are used in your landscape for software solutions, check whether the authorizations that have been defined for the user that is used in the solution are restrictive enough.

To enable IDocs to be created at all, the system checks the authorization object B_ALE_RECV with the authorization field EDI_MES for the message type. Assign only messages that you want to receive via HTTP/SOAP. For more information about HTTP IDoc inbound processing, see Note 1487928.

You can suppress continued processing by ensuring that no partner profiles exist or by selecting "Processing in background" mode (in transaction WE20) for the existing partner profiles. In this case, an internal user performs processing.

Actual processing of the IDoc data takes place in the application function modules assigned to the message types. Here, additional application-specific authorization checks may take place.

As of Web Application Server 640 (that is, SAP NetWeaver 2004), use the Web Service Framework. For more information about migration, see "http://service.sap.com/connectors" -> "SOAP Processor" -> "Media Library" -> PDF document "SOAP Migration Guide 6.20 to 6.40". Among other things, the migration enables a dedicated activation or deactivation for each Web Service entry in the "SICF" transaction under "/sap/bc/srt".
Ссылки