• Все разделы
  • Статьи
  • Медиа
  • Новости
  • Нормативные материалы
  • Конференции
  • Глоссарий

Note 1881221 - HTTP Response Splitting in the SAP BC

Главная Специалистам База уязвимостей Note 1881221 - HTTP Response Splitting in the SAP BC

Карточка уязвимости

Характеристики уязвимости

Уровень опасности
Оценка CVSS
(AV:N/AC:L/AU:N/C:N/I:P/A:NSAP)
Производитель ПО
SAP
Наименование ПО
SAP Notes (1881221-4)
Описание
In rare cases the SAP Business Connector 4.8 does not properly validate  and encode input values provided by HTTP clients. As a result an  attacker may send a malicious input to the Business Connector server  that will be passed back to the client. This allows an attacker to take  control over the HTTP response header and/or body and cause various exploits at the client side.
Как исправить
The solution is rolled out with Hotfix 3 for Core Fix 5 for the SAP Business Connector 4.8. From this patch level on potential dangerous characters are always properly encoded.The Core Fix 5 must be installed first. Then download the Hotfix 3  from here:https://service.sap.com/patches -> Browse Our Download Catalog -> SAP Connectors -> SAP BUSINESS CONNECTOR -> SAP BUSINESS CONNECTOR 4.8 -> Comprised Software Component Versions -> SAP BC 4.8 -> Support Packages und Patches -> # OS independent -> BC48CoreFixP5HF_3-20007203.zip, Title "CoreFix 5 Hotfix 3 for Business Connector 4.8", Patch Level 3.Afterwards shut down the Business Connector and unzip the archive into the SAP BC server installation directory (e.g. C:/sapbc48/Server on Windows or on UNIX).This patch will later be included into the Core Fix 6 for the Business Connector 4.8. As soon as it is available the Hotfix mentioned above becomes obsolete. Then please install the Core Fix 6 from the SAP BC download page:https://service.sap.com/sbc-download -> Tools and Services -> Software Updates -> Software Updates for SAP BC Release 4.8
Ссылки