• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1502607

Главная Специалистам База уязвимостей Не установлено обновление Note 1502607

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1502607-3) SAP Support Packages (SAPK-70108INPIBASIS, SAPK-70207INPIBASIS, SAPK-71107INPIBASIS, SAPK-73002INPIBASIS, SAPKIPYJ5M, SAPKIPYJ6M, SAPKIPYJ7O, SAPKIPYK12, SAPKIPYL12, SAPKIPYM14, SAPKIPYN12, SAPKIPZI4J)
Описание
The problem is caused by an SQL injection vulnerability. The code  composes an SQL statement including strings that can be altered by a  malicious user. The manipulated SQL statement can then be used to retrieve data from the database.
Как исправить
Import the Support Package specified below.
If you want to implement the correction instructions, follow the manual steps.



------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component PI_BASIS Basis Plug-In |
| Release 2004_1_620 Until SAPKIPYI5A |
| Release 2004_1_640 Until SAPKIPYI6A |
| Release 2005_1_620 Until SAPKIPYJ5L |
| Release 2005_1_640 Until SAPKIPYJ6L |
| Release 2005_1_700 Until SAPKIPYJ7N |
| Release 2006_1_700 Until SAPKIPYM13 |
| Release 2006_1_620 Until SAPKIPYK11 |
| Release 2006_1_710 Until SAPKIPYN11 |
| Release 2006_1_640 Until SAPKIPYL11 |
| Release 701 Until SAPK-70107INPIBASIS |
| Release 702 Until SAPK-70206INPIBASIS |
| Release 711 Until SAPK-71106INPIBASIS |
| Release 720 All Support Package Levels |
| Release 730 Until SAPK-73001INPIBASIS |
------------------------------------------------------------------------

Create the authorization object according to Note 1499392 and assign the relevant authorizations.



------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component PI SAP R/3 PlugIn... |
| Release 2004_1_46C Until SAPKIPZI4I |
------------------------------------------------------------------------

Create the authorization object according to Note 1499392 and assign the relevant authorizations.


------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component PI_BASIS Basis Plug-In |
| Release 2004_1_620 Until SAPKIPYI5A |
| Release 2004_1_640 Until SAPKIPYI6A |
| Release 2005_1_620 Until SAPKIPYJ5L |
| Release 2005_1_640 Until SAPKIPYJ6L |
| Release 2005_1_700 Until SAPKIPYJ7N |
| Release 2006_1_700 Until SAPKIPYM13 |
| Release 2006_1_620 Until SAPKIPYK11 |
| Release 2006_1_710 Until SAPKIPYN11 |
| Release 2006_1_640 Until SAPKIPYL11 |
| Release 701 Until SAPK-70107INPIBASIS |
| Release 702 Until SAPK-70206INPIBASIS |
| Release 711 Until SAPK-71106INPIBASIS |
| Release 720 All Support Package Levels |
| Release 730 Until SAPK-73001INPIBASIS |
------------------------------------------------------------------------
1. In transaction SE91, create message 066 in the message class C_ with the following text: No authorization to select the data. See Note 1498111.
2. Call transaction SE11 and change the table CRMATAB.
"Delivery and Maintenance" tab page: Display/Maintenance Allowed with Restrictions.
3. Call transaction SE55 for the table CRMRFCPAR. From the menu, choose "Environment -> Modification -> Events" and create the event 25 with the form routine check_auth.
4. Follow the instructions from Note 1501685.
------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component PI SAP R/3 PlugIn... |
| Release 2004_1_46C Until SAPKIPZI4I |
------------------------------------------------------------------------
1. In transaction SE91, create message 066 in the message class C_ with the following text: No authorization to select the data. See Note 1498111.
2. Call transaction SE11 and change the table CRMATAB.
3. "Delivery and Maintenance" tab page: Display/Maintenance Allowed with Restrictions.
4. Call transaction SE55 for the table CRMRFCPAR. From the menu, choose "Environment -> Modification -> Events" and create the event 25 with the form routine check_auth.
5. Follow the instructions from Note 1501685.
Ссылки