• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1531958

Главная Специалистам База уязвимостей Не установлено обновление Note 1531958

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1531958-4) SAP Support Packages (SAPKNA7023, SAPKU40018)
Описание
The problem is caused by an SQL injection vulnerability. The code  composes an SQL statement including strings that can be altered by a  malicious user. The manipulated SQL statement can then be used to retrieve additional data from the database.
Как исправить
1. Apply the attached correction instruction. Please note that this fix need to be applied to all the systems where software component SAP_AP 700 release is present irrespective of whether you are using AP IPC in your business processes or not.
2. For BBPCRM software component follow the manual implementation steps only. Since the fix contains authorization object in SAP namespace, correction are delivered using transport ZIP file. So there is no need to apply the given BBPCRM relevant correction instruction using SNOTE. But please make sure that after installing ZIP file as mentioned in the manual implementation step, relevant objects have got changed as given in the correction instruction.
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component BBPCRM BBP / CRM |
| Release 400 Until SAPKU40017 |
------------------------------------------------------------------------

Install the attached ZIP file. This contains the authorization object IPC_DB_RFC and all the related structures. Follow Notes 480180 and 13719 for the installation.


------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component BBPCRM BBP / CRM |
| Release 400 Until SAPKU40017 |
------------------------------------------------------------------------

If you are using IPC 4.0 in your scenario make sure that you have created appropriate user role and profile using transaction PFCG. Then add the new authorization object IPC_DB_RFC to that and set value 16 for activity. This role and profile should be assigned to the IPC DB user which you have set in IPC Server using the IPC Administrator tool for the backend system database access. For other users this new role shouldn't be assigned. In addition, user which you have set in IPC Administrator must have authorization to display (authorization object S_TABU_DIS with field ACTVT = 3) the relevant pricing customizing and master data tables. Because price relevant attributes vary, SAP cannot list a full list of values. You should, therefore, either grant full display authorizations in S_TABU_DIS or perform an authorization trace to determine the necessary values.
Ссылки