Карточка уязвимости
Характеристики уязвимости
Уровень опасности
Оценка CVSS
(AV:N/AC:L/AU:N/C:P/I:N/A:NSAP)
Производитель ПО
Наименование ПО
SAP Notes
(1816989-3)
SAP Support Packages
(EP_RUNTIME_710_SP017_000000, EP_RUNTIME_710_SP999999_999999, EP_RUNTIME_711_SP012_000000, EP_RUNTIME_711_SP999999_999999, EP_RUNTIME_720_SP009_000002, EP_RUNTIME_720_SP999999_999999, EP_RUNTIME_730_SP010_000000, EP_RUNTIME_730_SP999999_999999, EP_RUNTIME_731_SP008_000000, EP_RUNTIME_731_SP999999_999999, EP_RUNTIME_740_SP003_000000, EP_RUNTIME_740_SP999999_999999, PORTAL_700_SP029_000000, PORTAL_700_SP999999_999999, PORTAL_701_SP014_000000, PORTAL_701_SP999999_999999, PORTAL_702_SP014_000000, PORTAL_702_SP999999_999999)
Описание
Information that is stored by any application that is using this EPCM client data bag can be passed on a non-secure connection. This information may be used by an attacker to further target the application that is using this framework in the portal.
Как исправить
Please refer to SP Patch level link to view the versions including the fix.To enforce secure data bag (SAPPORTALSDB0) cookie:1. Navigate to "System Administration" -> "Service Configuration"** For NW: use SAP NetWeaver Administrator.2. Access the following portal application and service: Application: "com.sap.portal.epcf.loader" Service: "epcfloader"3. Set the com.sap.portal.epcf.databag.enforce_secure_cookie property value to true.This enforce that the client browser sends the cookie only when an SSL connection to the J2EE Engine or the reverse proxy is established. The default value is false.4. Save your changes and restart the service.
Ссылки