• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1816989 - Potential information disclosure relating to EPCM data bag

Главная Специалистам База уязвимостей Note 1816989 - Potential information disclosure relating to EPCM data bag

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
(AV:N/AC:L/AU:N/C:P/I:N/A:NSAP)
Производитель ПО
SAP
Наименование ПО
SAP Notes (1816989-3) SAP Support Packages (EP_RUNTIME_710_SP017_000000, EP_RUNTIME_710_SP999999_999999, EP_RUNTIME_711_SP012_000000, EP_RUNTIME_711_SP999999_999999, EP_RUNTIME_720_SP009_000002, EP_RUNTIME_720_SP999999_999999, EP_RUNTIME_730_SP010_000000, EP_RUNTIME_730_SP999999_999999, EP_RUNTIME_731_SP008_000000, EP_RUNTIME_731_SP999999_999999, EP_RUNTIME_740_SP003_000000, EP_RUNTIME_740_SP999999_999999, PORTAL_700_SP029_000000, PORTAL_700_SP999999_999999, PORTAL_701_SP014_000000, PORTAL_701_SP999999_999999, PORTAL_702_SP014_000000, PORTAL_702_SP999999_999999)
Описание
Information that is stored by any application that is using this EPCM  client data bag can be passed on a non-secure connection. This  information may be used by an attacker to further target the application that is using this framework in the portal.
Как исправить
Please refer to SP Patch level link to view the versions including the fix.To enforce secure data bag (SAPPORTALSDB0) cookie:1. Navigate to "System Administration" -> "Service Configuration"** For NW: use SAP NetWeaver Administrator.2. Access the following portal application and service: Application: "com.sap.portal.epcf.loader" Service: "epcfloader"3. Set the com.sap.portal.epcf.databag.enforce_secure_cookie property value to true.This enforce that the client browser sends the cookie only when an SSL connection to the J2EE Engine or the reverse proxy is established. The default value is false.4. Save your changes and restart the service.
Ссылки