• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 1534608

Главная Специалистам База уязвимостей Не установлено обновление Note 1534608

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (1534608-2) SAP Support Packages (SAPK-60019INISM, SAPK-60209INISM, SAPK-60308INISM, SAPK-60409INISM, SAPK-60504INISM, SAPKIPPL34, SAPKIPPM27, SAPKIPPN21)
Описание
IAC postprocessing does not contain authorization checks for checking an  authenticated user#s authorization to access some of its functions.  Without these checks, an authenticated user can use these functions. This may result in undesired system behavior.
Как исправить
This correction will be available with the next Support Package.
You can use the Note Assistant to implement an advance correction. To do this, manually perform all the steps that are listed in the manual pre-implementation steps section.



------------------------------------------------------------------------
|Manual Pre-Implement. |
------------------------------------------------------------------------
|VALID FOR |
|Software Component IS-M IS Media |
| Release 464 Until SAPKIPPL33 |
| Release 471 Until SAPKIPPM26 |
| Release 472 Until SAPKIPPN20 |
| Release 600 Until SAPK-60018INISM |
| Release 602 Until SAPK-60208INISM |
| Release 603 Until SAPK-60307INISM |
| Release 604 Until SAPK-60408INISM |
| Release 605 Until SAPK-60503INISM |
------------------------------------------------------------------------

Before you implement the note, you must implement the following corrections manually:
Add a new fixed value to the domain ISM_IAC_TYPE as follows:
Call transaction SE11.
Change the domain ISM_IAC_TYPE.
Navigate to the "Value Range" tab page.
Create the new fixed value '13' with the short description 'Order Creation (Ad Order)'.
Activate the changes.
Create the new authorization field IAC_TYPE as follows:
Call transaction SU20.
Choose "New authorization field".
Enter 'IAC_TYPE' as the field name and 'ISM_IAC_TYPE' as the data element.
Activate the changes.
Create the new authorization object J_IAC_PP as follows:
Call transaction SU21.
Open the object class IS_P.
Choose "Create Authorization Object".
Enter 'J_IAC_PP' as the object and 'IAC Postprocessing' as the text.
Enter the following authorization fields:
VKORG Sales Organization
VTWEG Distribution Channel
SPART Division
IAC_TYPE Type of Change/Creation of IAC
ACTVT Activity
Create the following documentation for the authorization object:
Definition:
"Authorization object for IAC postprocessing."
Fields:
"VKORG Sales Organization
VTWEG Distribution Channel
SPART Division
IAC_TYPE Type of Change/Creation of IAC
ACTVT Activity Category"
Select the following values as valid values for the activity:
02 Change
03 Display
06 Delete
16 Execute
Create the following new messages for message class JKWWW using transaction SE91 and set the 'Self-explanat'y' indicator for all of them:
405 You do not have authorization to display data from the internet
406 You do not have authorization to maintain data from the internet
407 You do not have authorization to delete data from the internet
408 You do not have authorization to process data from the internet
Ссылки