Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1532497-3)
SAP Support Packages
(SAPKH60019, SAPKH60209, SAPKH60308, SAPKH60409, SAPKH60504, SAPKIPZI4J, SAPKIPZI5J, SAPKIPZI6L)
Описание
The problem is caused by an SQL injection vulnerability. The code composes an SQL statement including strings that can be altered by a malicious user. The manipulated SQL statement can then be used to retrieve additional data from the database.
Как исправить
1. We recommend to apply this fix in all the listed ERP or R/3 releases even if you are not using CRM Plug-in in your scenario.
2. For software component PI releases 2004_1_46C, 2004_1_470 and 2004_1_500 follow the manual implementation steps only. Since the fix contains authorization object in SAP namespace, correction are delivered using transport ZIP file. So there is no need to apply the given relevant correction instruction using SNOTE for the above mentioned PI releases. But please make sure that after installing ZIP file as mentioned in the manual implementation step, relevant objects have got changed as given in the correction instruction.
3. For other ERP releases please apply given relevant correction instructions using SNOTE.
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component PI SAP R/3 PlugIn... |
| Release 2004_1_470 Until SAPKIPZI5I |
| Release 2004_1_46C Until SAPKIPZI4I |
| Release 2004_1_500 Until SAPKIPZI6K |
------------------------------------------------------------------------
Install the attached release specific ZIP file. This contains the authorization object IPC_RFC_DB and all the related structures. Follow Notes 480180 and 13719 for the installation.
------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component PI SAP R/3 PlugIn... |
| Release 2004_1_470 Until SAPKIPZI5I |
| Release 2004_1_46C Until SAPKIPZI4I |
| Release 2004_1_500 Until SAPKIPZI6K |
------------------------------------------------------------------------
If you are using E-Commerce ERP scenario which is mentioned in the note 884408 you have to follow the post implementation step mentioned over here. Otherwise you can ignore this post implementation step. In that case only the thing is you should never ever assign this newly created authorization to any of the user. In order to support the scenario which is mentioned in the note 884408 you have to create appropriate user role and profile using transaction PFCG. Then add the new authorization object IPC_RFC_DB to that and set value 16 for activity. This new role should be assigned to the RFC user which you have set in the RFC destination IPC_REMOTE_DB_CONNECTION_XXX (refer note 884408 for details) for ERP or R/3 data access. For other users this authorization object shouldn't be assigned.
2. For software component PI releases 2004_1_46C, 2004_1_470 and 2004_1_500 follow the manual implementation steps only. Since the fix contains authorization object in SAP namespace, correction are delivered using transport ZIP file. So there is no need to apply the given relevant correction instruction using SNOTE for the above mentioned PI releases. But please make sure that after installing ZIP file as mentioned in the manual implementation step, relevant objects have got changed as given in the correction instruction.
3. For other ERP releases please apply given relevant correction instructions using SNOTE.
------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component PI SAP R/3 PlugIn... |
| Release 2004_1_470 Until SAPKIPZI5I |
| Release 2004_1_46C Until SAPKIPZI4I |
| Release 2004_1_500 Until SAPKIPZI6K |
------------------------------------------------------------------------
Install the attached release specific ZIP file. This contains the authorization object IPC_RFC_DB and all the related structures. Follow Notes 480180 and 13719 for the installation.
------------------------------------------------------------------------
|Manual Post-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component PI SAP R/3 PlugIn... |
| Release 2004_1_470 Until SAPKIPZI5I |
| Release 2004_1_46C Until SAPKIPZI4I |
| Release 2004_1_500 Until SAPKIPZI6K |
------------------------------------------------------------------------
If you are using E-Commerce ERP scenario which is mentioned in the note 884408 you have to follow the post implementation step mentioned over here. Otherwise you can ignore this post implementation step. In that case only the thing is you should never ever assign this newly created authorization to any of the user. In order to support the scenario which is mentioned in the note 884408 you have to create appropriate user role and profile using transaction PFCG. Then add the new authorization object IPC_RFC_DB to that and set value 16 for activity. This new role should be assigned to the RFC user which you have set in the RFC destination IPC_REMOTE_DB_CONNECTION_XXX (refer note 884408 for details) for ERP or R/3 data access. For other users this authorization object shouldn't be assigned.
Ссылки