Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
Производитель ПО
Наименование ПО
SAP Notes
(1681997-1)
SAP Support Packages
(CM+COLLABORATION_60_640_SP027_000010, CM+COLLABORATION_60_640_SP028_000008, CM+COLLABORATION_60_640_SP029_000006, CM+COLLABORATION_60_640_SP030_000000, CM+COLLABORATION_60_640_SP031_000000, CM+COLLABORATION_60_640_SP999999_999999, GROUPWARE_730_SP001_000001, GROUPWARE_730_SP002_000001, GROUPWARE_730_SP003_000001, GROUPWARE_730_SP004_000001, GROUPWARE_730_SP005_000001, GROUPWARE_730_SP007_000001, GROUPWARE_730_SP008_000000, GROUPWARE_730_SP999999_999999, GROUPWARE_731_SP000_000001, GROUPWARE_731_SP001_000001, GROUPWARE_731_SP002_000001, GROUPWARE_731_SP003_000001, GROUPWARE_731_SP004_000000, GROUPWARE_731_SP999999_999999, KMC_BASE_COMPONENTS_700_SP023_000002, KMC_BASE_COMPONENTS_700_SP024_000003, KMC_BASE_COMPONENTS_700_SP025_000003, KMC_BASE_COMPONENTS_700_SP026_000003, KMC_BASE_COMPONENTS_700_SP999999_999999, KMC_BASE_COMPONENTS_701_SP008_000003, KMC_BASE_COMPONENTS_701_SP009_000003, KMC_BASE_COMPONENTS_701_SP010_000003, KMC_BASE_COMPONENTS_701_SP011_000001, KMC_BASE_COMPONENTS_701_SP012_000000, KMC_BASE_COMPONENTS_701_SP999999_999999, KMC_BASE_COMPONENTS_702_SP005_000001, KMC_BASE_COMPONENTS_702_SP006_000005, KMC_BASE_COMPONENTS_702_SP007_000003, KMC_BASE_COMPONENTS_702_SP008_000002, KMC_BASE_COMPONENTS_702_SP009_000003, KMC_BASE_COMPONENTS_702_SP010_000003, KMC_BASE_COMPONENTS_702_SP011_000001, KMC_BASE_COMPONENTS_702_SP012_000000, KMC_BASE_COMPONENTS_702_SP999999_999999, KMC_BASE_COMPONENTS_730_SP001_000006, KMC_BASE_COMPONENTS_730_SP002_000008, KMC_BASE_COMPONENTS_730_SP003_000007, KMC_BASE_COMPONENTS_730_SP004_000007, KMC_BASE_COMPONENTS_730_SP005_000006, KMC_BASE_COMPONENTS_730_SP007_000003, KMC_BASE_COMPONENTS_730_SP008_000000, KMC_BASE_COMPONENTS_730_SP999999_999999, KMC_BASE_COMPONENTS_731_SP001_000003, KMC_BASE_COMPONENTS_731_SP002_000003, KMC_BASE_COMPONENTS_731_SP003_000001, KMC_BASE_COMPONENTS_731_SP004_000000, KMC_BASE_COMPONENTS_731_SP999999_999999, KMC_COLLABORATION_700_SP023_000003, KMC_COLLABORATION_700_SP024_000003, KMC_COLLABORATION_700_SP025_000003, KMC_COLLABORATION_700_SP026_000002, KMC_COLLABORATION_700_SP027_000000, KMC_COLLABORATION_700_SP028_000000, KMC_COLLABORATION_700_SP999999_999999, KMC_COLLABORATION_701_SP008_000003, KMC_COLLABORATION_701_SP009_000003, KMC_COLLABORATION_701_SP010_000003, KMC_COLLABORATION_701_SP011_000002, KMC_COLLABORATION_701_SP012_000000, KMC_COLLABORATION_701_SP013_000000, KMC_COLLABORATION_701_SP999999_999999, KMC_COLLABORATION_702_SP005_000002, KMC_COLLABORATION_702_SP006_000002, KMC_COLLABORATION_702_SP007_000003, KMC_COLLABORATION_702_SP008_000003, KMC_COLLABORATION_702_SP009_000003, KMC_COLLABORATION_702_SP010_000003, KMC_COLLABORATION_702_SP011_000002, KMC_COLLABORATION_702_SP012_000000, KMC_COLLABORATION_702_SP999999_999999, KMC_CONTENT_MANAGEMENT_700_SP023_000008, KMC_CONTENT_MANAGEMENT_700_SP024_000005, KMC_CONTENT_MANAGEMENT_700_SP025_000006, KMC_CONTENT_MANAGEMENT_700_SP026_000003, KMC_CONTENT_MANAGEMENT_700_SP999999_999999, KMC_CONTENT_MANAGEMENT_701_SP008_000008, KMC_CONTENT_MANAGEMENT_701_SP009_000006, KMC_CONTENT_MANAGEMENT_701_SP010_000005, KMC_CONTENT_MANAGEMENT_701_SP011_000001, KMC_CONTENT_MANAGEMENT_701_SP012_000000, KMC_CONTENT_MANAGEMENT_701_SP999999_999999, KMC_CONTENT_MANAGEMENT_702_SP005_000006, KMC_CONTENT_MANAGEMENT_702_SP006_000009, KMC_CONTENT_MANAGEMENT_702_SP007_000007, KMC_CONTENT_MANAGEMENT_702_SP008_000005, KMC_CONTENT_MANAGEMENT_702_SP009_000004, KMC_CONTENT_MANAGEMENT_702_SP010_000005, KMC_CONTENT_MANAGEMENT_702_SP011_000001, KMC_CONTENT_MANAGEMENT_702_SP012_000000, KMC_CONTENT_MANAGEMENT_702_SP999999_999999, KMC_CONTENT_MANAGEMENT_730_SP001_000007, KMC_CONTENT_MANAGEMENT_730_SP002_000007, KMC_CONTENT_MANAGEMENT_730_SP003_000007, KMC_CONTENT_MANAGEMENT_730_SP004_000005, KMC_CONTENT_MANAGEMENT_730_SP005_000006, KMC_CONTENT_MANAGEMENT_730_SP007_000002, KMC_CONTENT_MANAGEMENT_730_SP008_000000, KMC_CONTENT_MANAGEMENT_730_SP999999_999999, KMC_CONTENT_MANAGEMENT_731_SP001_000003, KMC_CONTENT_MANAGEMENT_731_SP002_000002, KMC_CONTENT_MANAGEMENT_731_SP003_000001, KMC_CONTENT_MANAGEMENT_731_SP004_000000, KMC_CONTENT_MANAGEMENT_731_SP999999_999999)
Описание
The EP-KM-COL component does not contain the authorization checks for the authorization of authenticated users to access some of its functions. This may result in the undesired system behavior.
Как исправить
For SAP NetWeaver Portal 7.3 and 7.3 including enhancement package 1 CTC template could be executed instead of the procedure described below. In case of CTC template execution for SAP NetWeaver 7.3 and 7.3 including enhancement package 1, refer to SAP note 599425.
Use the following procedure to change the permissions of the "attachment" repository after deploying the patches for KMCBC, KMCCM and GROUPWARE :
1. Configure the "attachment" repository to be listed in the root directory.
a. Log on to the portal as an administrator user.
b. Navigate to System Administration -> System Configuration -> Knowledge Management -> Content Management -> Repository Managers -> CM Repository
c. Select the "attachment" repository
d. Choose "Edit".
e. Choose "Show Advanced Options".
f. Deselect the "Hide in Root Folder" property.
g. Save your entries.
2. Configure the permissions of the "attachment" repository.
When the patches are applied the initial attachment repository permissions are set to "Everyone" (Full Control). To restrict the permissions of the repository, you should use the following procedure:
a. Navigate to Content Administration -> KM Content
b. From the context menu of the "attachment" repository choose Details -> Settings -> Permissions
c. In the "Permissions" tab delete the permissions for the "Everyone" group and then add the following permissions:
- Name: "content_admin_role"; Permissions: "Full Control"
d. Save your entries.
The main disclaimer for the new implementation is:
When the "Everyone" group is deleted from the permissions of the "attachment" repository, the users, who have been sent or received e-mails before the patch installation, should no longer be available to access the attachments for their e-mails stored in this repository.
A.) For more information about the affected releases, see the "SP Patch Level" tab page of this SAP note.
For more information about the SP Stack schedule and updates, see http://service.sap.com/swdc -> Support Packages and Patches -> SAP Support Package Stacks -> SP Stacks maintenance schedule
B.) Possible workaround before the release of mentioned deliveries: There is no workaround possible.
Use the following procedure to change the permissions of the "attachment" repository after deploying the patches for KMCBC, KMCCM and GROUPWARE :
1. Configure the "attachment" repository to be listed in the root directory.
a. Log on to the portal as an administrator user.
b. Navigate to System Administration -> System Configuration -> Knowledge Management -> Content Management -> Repository Managers -> CM Repository
c. Select the "attachment" repository
d. Choose "Edit".
e. Choose "Show Advanced Options".
f. Deselect the "Hide in Root Folder" property.
g. Save your entries.
2. Configure the permissions of the "attachment" repository.
When the patches are applied the initial attachment repository permissions are set to "Everyone" (Full Control). To restrict the permissions of the repository, you should use the following procedure:
a. Navigate to Content Administration -> KM Content
b. From the context menu of the "attachment" repository choose Details -> Settings -> Permissions
c. In the "Permissions" tab delete the permissions for the "Everyone" group and then add the following permissions:
- Name: "content_admin_role"; Permissions: "Full Control"
d. Save your entries.
The main disclaimer for the new implementation is:
When the "Everyone" group is deleted from the permissions of the "attachment" repository, the users, who have been sent or received e-mails before the patch installation, should no longer be available to access the attachments for their e-mails stored in this repository.
A.) For more information about the affected releases, see the "SP Patch Level" tab page of this SAP note.
For more information about the SP Stack schedule and updates, see http://service.sap.com/swdc -> Support Packages and Patches -> SAP Support Package Stacks -> SP Stacks maintenance schedule
B.) Possible workaround before the release of mentioned deliveries: There is no workaround possible.
Ссылки