• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Не установлено обновление Note 578366

Главная Специалистам База уязвимостей Не установлено обновление Note 578366

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
Производитель ПО
SAP
Наименование ПО
SAP Notes (578366-2)
Описание
Up to and including EP 5.0 SP4, when a user logged on to the portal with  a client certificate, the client parser took the CN of the X.500 name of  the certificate owner and used this as the portal user. For example, if  the X.500 name of the certificate was 'CN=Smith, OU=Marketing,  O=MyCompany Ltd., C=DE', this certificate would be mapped to the portal user 'Smith'.
This parser can lead to insufficient security as the CN alone is used to  determine the user. It would, for example, be possible for two people to  obtain a certificate with CN=Smith from two different certification  authorities (CAs). In the same way, two people from different countries  or even just different organizational units in the same company could  obtain a certificate with CN=Smith from the same certification  authority. In all cases, the users would be mapped to the portal user  Smith. This could lead to unauthorized users gaining access to the Enterprise Portal.
Как исправить
As of EP 5.0 SP5, the Enterprise Portal is shipped with a new parser that solves this problem. The new parser can be configured using entries in the Windows registry to further restrict the users that are accepted by the parser.
Create the following entries in the current user management configuration in the Windows registry:
"Certificate Params": Contains value for which the parser checks in the certificate owner's name. For example, if you set the value to 'O=MyCompany', only certificate owner names with this entry, for example 'CN=Smith, OU=Marketing, O=MyCompany, C=DE' will be allowed access to the portal. A certificate with a certificate owner such as 'CN=Smith, OU=Marketing, O=Hacker Ltd., C=DE' will not be allowed access the portal.
Note that the parser searches the certificate owner's name for the exact string in "Certificate Params". For this reason, you should take great care with spaces, commas, and so on. Examples of valid values for "Certificate Params" are:
'OU=Marketing, O=MyCompany'
'OU=MArketing, O=MyCompany, C=DE'
Ссылки