Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1497003-16)
SAP Support Packages
(ACF_712_SP000_000035, ACF_712_SP999999_999999, R/3_KERNEL_31I_EXT_32_BIT_SP786_000786, R/3_KERNEL_31I_EXT_32_BIT_SP999999_999999, R/3_KERNEL_31I_EXT_64_BIT_SP786_000786, R/3_KERNEL_31I_EXT_64_BIT_SP999999_999999, SAP_GUI_FOR_WINDOWS_710_CORE_SP002_000002, SAP_GUI_FOR_WINDOWS_710_CORE_SP999999_999999, SAP_ITS_620_SP040_000040, SAP_ITS_620_SP999999_999999, SAP_KERNEL_40B_EXT_32_BIT_SP1076_001076, SAP_KERNEL_40B_EXT_32_BIT_SP999999_999999, SAP_KERNEL_40B_EXT_64_BIT_SP1076_001076, SAP_KERNEL_40B_EXT_64_BIT_SP999999_999999, SAP_KERNEL_45B_EXT_32_BIT_SP1007_001007, SAP_KERNEL_45B_EXT_32_BIT_SP999999_999999, SAP_KERNEL_45B_EXT_64_BIT_SP1007_001007, SAP_KERNEL_45B_EXT_64_BIT_SP999999_999999, SAP_KERNEL_46D_EX2_32_BIT_SP2551_002551, SAP_KERNEL_46D_EX2_32_BIT_SP999999_999999, SAP_KERNEL_46D_EX2_64_BIT_SP2551_002551, SAP_KERNEL_46D_EX2_64_BIT_SP999999_999999, SAP_KERNEL_46D_EXT_32_BIT_SP2551_002551, SAP_KERNEL_46D_EXT_32_BIT_SP999999_999999, SAP_KERNEL_46D_EXT_64_BIT_SP2551_002551, SAP_KERNEL_46D_EXT_64_BIT_SP999999_999999, SAP_KERNEL_640_32_BIT_SP353_000353, SAP_KERNEL_640_32_BIT_SP999999_999999, SAP_KERNEL_640_32_BIT_UNICODE_SP353_000353, SAP_KERNEL_640_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_640_64_BIT_SP353_000353, SAP_KERNEL_640_64_BIT_SP999999_999999, SAP_KERNEL_640_64_BIT_UNICODE_SP353_000353, SAP_KERNEL_640_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_640_EX2_32_BIT_SP353_000353, SAP_KERNEL_640_EX2_32_BIT_SP999999_999999, SAP_KERNEL_640_EX2_32_BIT_UC_SP353_000353, SAP_KERNEL_640_EX2_32_BIT_UC_SP999999_999999, SAP_KERNEL_640_EX2_64_BIT_SP353_000353, SAP_KERNEL_640_EX2_64_BIT_SP999999_999999, SAP_KERNEL_640_EX2_64_BIT_UC_SP353_000353, SAP_KERNEL_640_EX2_64_BIT_UC_SP999999_999999, SAP_KERNEL_700_32_BIT_SP278_000278, SAP_KERNEL_700_32_BIT_SP999999_999999, SAP_KERNEL_700_32_BIT_UNICODE_SP278_000278, SAP_KERNEL_700_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_700_64_BIT_SP278_000278, SAP_KERNEL_700_64_BIT_SP999999_999999, SAP_KERNEL_700_64_BIT_UNICODE_SP278_000278, SAP_KERNEL_700_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_701_32_BIT_SP118_000118, SAP_KERNEL_701_32_BIT_SP999999_999999, SAP_KERNEL_701_32_BIT_UNICODE_SP118_000118, SAP_KERNEL_701_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_701_64_BIT_SP118_000118, SAP_KERNEL_701_64_BIT_SP999999_999999, SAP_KERNEL_701_64_BIT_UNICODE_SP118_000118, SAP_KERNEL_701_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_710_32_BIT_SP224_000224, SAP_KERNEL_710_32_BIT_SP999999_999999, SAP_KERNEL_710_32_BIT_UNICODE_SP224_000224, SAP_KERNEL_710_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_710_64_BIT_SP224_000224, SAP_KERNEL_710_64_BIT_SP999999_999999, SAP_KERNEL_710_64_BIT_UNICODE_SP224_000224, SAP_KERNEL_710_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_711_32_BIT_SP110_000110, SAP_KERNEL_711_32_BIT_SP999999_999999, SAP_KERNEL_711_32_BIT_UNICODE_SP110_000110, SAP_KERNEL_711_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_711_64_BIT_SP110_000110, SAP_KERNEL_711_64_BIT_SP999999_999999, SAP_KERNEL_711_64_BIT_UNICODE_SP110_000110, SAP_KERNEL_711_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_720_32_BIT_SP068_000068, SAP_KERNEL_720_32_BIT_SP999999_999999, SAP_KERNEL_720_32_BIT_UNICODE_SP068_000068, SAP_KERNEL_720_32_BIT_UNICODE_SP999999_999999, SAP_KERNEL_720_64_BIT_SP068_000068, SAP_KERNEL_720_64_BIT_SP999999_999999, SAP_KERNEL_720_64_BIT_UNICODE_SP068_000068, SAP_KERNEL_720_64_BIT_UNICODE_SP999999_999999, SAP_KERNEL_72L_64_BIT_UNICODE_SP023_000023, SAP_KERNEL_72L_64_BIT_UNICODE_SP999999_999999, SAPKB46B62, SAPKB46C62, SAPKB46C63, SAPKB62070, SAPKB62071, SAPKB64027, SAPKB64028, SAPKB64029, SAPKB70023, SAPKB70024, SAPKB70026, SAPKB70108, SAPKB70109, SAPKB70111, SAPKB70205, SAPKB70206, SAPKB70207, SAPKB70209, SAPKB70210, SAPKB71012, SAPKB71013, SAPKB71014, SAPKB71107, SAPKB71108, SAPKB71109, SAPKB72004, SAPKB72005, SAPKB72006, SAPKB72007, SAPKB73001, SAPKB73002, SAPKB73004, SAPKB73005, SAPKB73007, SAPKH31IB9, SAPKH40B89, SAPKH45B67)
Описание
Some SAP applications contain vulnerabilities through which a malicious user can potentially read or write arbitrary files on the application server, possibly disclosing confidential information or corrupting data or altering system behavior. The problem is typically caused by user interfaces that allow input of a physical file name, or selection of an arbitrary logical file name.
Как исправить
In order to address this issue without disrupting established processes, SAP introduces the following enhancements to the ABAP runtime (KERNEL and SAP_BASIS):
1. All file system paths are normalized before checks against authorization object S_DATASET or customizing table SPTH are performed. Normalization means, that:
a) Redundant '.'s are removed (e.g. a/./b => a/b).
b) Path components followed by '..' are removed (e.g. a/b/../c => a/c) - Note that for links this semantic is not identical to following .. on the real file system. SAP recommends not to use .. and in particular not the combination of .. and links.
c) If a platform supports different path separators, path separators are replaced by their default representation (Windows allows either '/' or '\', so a/b\c => a\b\c)
2. Comparison against paths in authorization checks will be case insensitive on Windows, as Windows doesn't distinguish letter case in file names.
3. Flags FS_NOREAD and FS_NOWRITE and checks against authorization object S_PATH are implemented as described in the Online Documentation, e.g. at
http://help.sap.com/saphelp_nw70/helpdata/en/fc/eb3d69358411d1829f0000e829fbfe/frameset.htm (for NetWeaver 7.0)
or
http://help.sap.com/saphelp_bw/helpdata/en/fc/eb3d69358411d1829f0000e829fbfe/frameset.htm (for BW)
4. A mechanism to validate physical file names against a logical file name, giving administrators the option to configure directories that are valid in the respective application context. For user interfaces that allow input of a logical file name, adminstrators can define a set of aliases of logical file names valid within that scenario. Please refer to the documentation on logical file names for more information on this indirection mechanism. The documentation is also attached to this note as a PDF file.
5. Please note that this mechanism does not ensure security unless you configure physical file names or aliases, thus enforcing validation. In order to suppport customers with that task, report RSFILENA has been enhanced in order to spot logical file names that are not configured to use the implemented validation mechanism.
The central mechanism is used in application code updated by the referenced notes. All of these notes describe changes to applications, where
a) Physical file names can entered without sufficient validation.
b) Logical file names can be selected without sufficient validation.
c) a) or b) in code or functionality that SAP considers obsolete and that is therefore removed or disabled as otherwise customers would have to configure obsolete validations as well.
1. All file system paths are normalized before checks against authorization object S_DATASET or customizing table SPTH are performed. Normalization means, that:
a) Redundant '.'s are removed (e.g. a/./b => a/b).
b) Path components followed by '..' are removed (e.g. a/b/../c => a/c) - Note that for links this semantic is not identical to following .. on the real file system. SAP recommends not to use .. and in particular not the combination of .. and links.
c) If a platform supports different path separators, path separators are replaced by their default representation (Windows allows either '/' or '\', so a/b\c => a\b\c)
2. Comparison against paths in authorization checks will be case insensitive on Windows, as Windows doesn't distinguish letter case in file names.
3. Flags FS_NOREAD and FS_NOWRITE and checks against authorization object S_PATH are implemented as described in the Online Documentation, e.g. at
http://help.sap.com/saphelp_nw70/helpdata/en/fc/eb3d69358411d1829f0000e829fbfe/frameset.htm (for NetWeaver 7.0)
or
http://help.sap.com/saphelp_bw/helpdata/en/fc/eb3d69358411d1829f0000e829fbfe/frameset.htm (for BW)
4. A mechanism to validate physical file names against a logical file name, giving administrators the option to configure directories that are valid in the respective application context. For user interfaces that allow input of a logical file name, adminstrators can define a set of aliases of logical file names valid within that scenario. Please refer to the documentation on logical file names for more information on this indirection mechanism. The documentation is also attached to this note as a PDF file.
5. Please note that this mechanism does not ensure security unless you configure physical file names or aliases, thus enforcing validation. In order to suppport customers with that task, report RSFILENA has been enhanced in order to spot logical file names that are not configured to use the implemented validation mechanism.
The central mechanism is used in application code updated by the referenced notes. All of these notes describe changes to applications, where
a) Physical file names can entered without sufficient validation.
b) Logical file names can be selected without sufficient validation.
c) a) or b) in code or functionality that SAP considers obsolete and that is therefore removed or disabled as otherwise customers would have to configure obsolete validations as well.
Ссылки