SAP Note 888889 - Automatic checks for security notes using RSECNOTE

Composant : SAP Support Services - Security Response

Solution : https://service.sap.com/sap/support/notes/888889 (Connexion à SAP Service Marketplace requise)

Résumé :
La note SAP décrit l'implémentation et l'utilisation de l'outil RSECNOTE pour évaluer le statut de mise en œuvre des notes de sécurité dans les systèmes SAP. RSECNO TE, faisant partie du composant logiciel ST-A/PI à partir de la release 01M_*, évalue si les mises à jour de sécurité essentielles, représentées par les notes SAP et les HotNews, sont appliquées. La note propose une solution aux problèmes tels que la fonctionnalité partielle due à la non-implémentation de la Note 888889 et l'absence de l'outil RSECNOTE dans le système. La solution inclut les instructions d'installation pour RSECNOTE via SNOTE, les ajustements des paramètres de transactions, les autorisations utilisateur, et les directives opérationnelles pour maintenir la conformité à la sécurité du système.

Mots Clés :
s_tcode tcd st13 s_admi_fcd s_admi_fcd st0r s_ptch_adm table ', object key r3tr tabu /ssf/ptab, tool rsecnote checks security-relevant notes, required security-relevant sap notes, component security-check actvt 02, required security-relevant notes, sap earlywatch alert report, sap_basis release 620 support package 55, sap_basis release 640 support package 13, quick link /note-assistant

Notes associées :

1572714Missing Authorization Check in Profile Parameter Handling
1572346Hard-coded credentials in ABAP Test Cockpit
1572345Hard-coded credentials in ABAP Task Handler
1570717Hard-coded credentials in ABAP Workbench
1570374Missing Authorization Check in Package Builder
1569300Potential Denial of Service in translation tools funct.
1568674Code injection vulnerability in CRM_UBB_LAE_EDIT_CONTENT
1567882Missing authorization check in BW RFC
1567747
1567630Unauthorized modification of displayed content in BC-DOC-TTL
1565444Missing authorization check in Output Server
1565397Unauthorized modification of content in BSP DSWP_URL_LAUNCH
1561545Update #2 to Security Note 1531669
1560649Hard-coded credentials in BCS
1560605Unauthorized modification of stored content in ST
1557197Missing authorization check in portal connection
1556749Unauthorized execution of functions in SAP system
1554030Missing authorization check in fumo EPS_DELETE_FILE
1553872
1553868
1553184
1553043
1552504
1551544
1549999Missing authorization check in the workflow analysis
1547271Missing authorization check in RFC with call transaction
1543318Potential remote termination of running processes in kernel
1542645Users with hardcoded name & password created in BC-DOC-TER
1538382
1537753Missing Authorization Check in LO-MAP
1536640WebReporting:Unauthorized modification of displayed content
1536491ALE: Missing authorization check in ALE monitoring tool
1536091Missing Authorization Check in Change logs component.
1533470Missing authorization check in Cash Management
1531752
1531669Missing Authorization Check
1530392Missing Authorization Check in SW-Delivery tools
1529573
1528863
1528822Missing authorization check in WebReporting
1525695Update #1 for Note 587410: Missing Authorization Check SE37
1525328Potential information disclosure by the message server
1523808Missing authorization check in CATT or eCATT
1521786
1520781
1520462Unauthorized call of operating system command
1520043RFC call cat_r2_tab_res without authorization
1518682
1514385
1513952Missing Authorization Check in AP-PPE-SCM
1512134Unauthorized modification of displayed content in ITS
1511436Code injection vulnerability in Relationship and Reliability
1511107Executing freely determined code using transaction SE37
1510704Missing Authorization Check in AFX Workbench report
1507903
1504090
1504016
1503375ED: Code injection vulnerability in functionality 'Other'
1502781Unauthorized modification of displayed content in BSP
1499901Executing arbitrary code with RSNROGEN
1499051DBACockpit: Weak authorization checks in SQL Command Editor
1498913PFO : Authority check for business object
1497622EC-EIS: Loading any source code using FM KXXC_DOWNLOAD
1497104
1496092Unauthorized read-access to database
1495570Security: Execution of any source code
1494046Code injection vulnerability in time rule programm
1493911Missing Authorization Check in SW-Delivery tools
1493634Transaction calls from reporting
1493516
1493101Code injection vulnerability in FERCC001
1492434Executing arbitrary code using report RIWP_VIEW_GENERATE
1490437Corrections for ST-PI
1488159
1488057
1488038Unauthorized usage of test tool of system login
1487330
1487212
1486918Code Injection vulnerability in CRM-ACP-APL
1484930Saved data may be disclosed and changed
1484918
1484743Hard-coded logon information in CL_CRM_ISU_ORDE...
1484712Directory traversal in CRM_EDR_UPLOAD_DATA/-DOWNLOAD_DATA
1484711Unauthorized change of displayed contents in IUBOTRCP
1484709Unauthorized change of displayed contents in CRM_ITIC
1482118Unauthorized change to data displayed in BPS planning
1481802
1481405Hard-coded credentials in RFBYPASS
1481254Program generator performance RE-FX
1480653
1479762Missing authority check in SAP_RSADMIN_MAINTAIN
1479310EC-PCA: Using FM ZPCA_UPLOAD to load any source code
1478978
1478860
1478756Executing any source code in CO-PC reporting
1478420FPE2M: Missing Authorization Check
1475481Unauthorized modification of stored content in signature BSP
1474853BCE: Secure Business Content Environment
1473520Missing authorization check in coinsurance reporting
1472807Hard-coded credentials in BRF
1472395Unauthorized change of stored contents (agency collections)
1470854
1470350
1470094Authorization check in report H99_B2AFILE missing
1469982
1469845Missing authorization check in RMA
1469707
1469549RFC: Work processes terminate in the XML parser
1467896Unauthorized use of application functions in ICM
1466156Missing Authorization Check in a BTE application
1465138Change mode in SAT / SE30 "Tips & Tricks"
1463392
1463037Hard-coded credentials in Class /FRE/FU_CL_TS_SERVICES
1462417Missing authorization check in RFC module
1462348
1460043Unsuitable authorization check in transaction SE24
1458820
1456569
1453938Potential information disclosure relating to WebDynpro ABAP
1453655
1453605Potential information disclosure relating to ECC and SAP R/3
1453604Potential information disclosure relating to ECC and SAP R/3
1453541Potential information disclosure relating to ECC and SAP R/3
1453457WebReporting: Unauthorized modification of displayed content
1453164Missing authorization check in module of upgrade
1452661Code injection vulnerability in ECC PT PSM-FM Add-On
1451581Logging of configuration changes not enabled
1450270Unauthorized modification of displayed content in BSP
1450128
1449574Function module for reading batch input files
1449516CRM Pharma: Log data changes in tables
1447671Cross Site Scripting in BSP
1447622Cross Site Scripting in BSP
1446869Activate configuration logging for DAM tables
1446276CTC: Table White Lists and Authorization Checks
1445407Program can be used by specific users
1443973WDA: Application configurations
1443934
1442580Potential disclosure of authentication information
1442498Information obtainable about Web Dynpro ABAP applications
1441953Logon data can be discovered: XSS
1441945Authorization check incomplete in XI/PI administration
1440345Load balancer reveals backend server information
1439983Disable S_TCC_* functions for heightened security
1437237Explicitly coded user names in Web Dynpro
1437224RMA: Security standard is not implemented
1436936Unauthorized changes can be made to Web Dynpro ABAP session
1435655Number of cryptographic bits increased in sap-contextid
1431790Security fixes for SRM Legal Contract Authoring Duet applica
1431615User-defined message search: Authorization for test
1430970
1429954Hardcoded usernames in SCC
1429301Missing authority check in APO transaction
1429198Missing authorization check in RSUDO for "Execute as"
1428998Missing authority check in Demand Planning transaction
1428526Hardcoded usernames in APO
1428034CLP: Missing Authorization Checks
1427914Security Note : Leftover Debug Code
1427010
1427009
1427008
1426388
1425215Security Note Missing Authority Check for Call Transaction
1425123Missing authority check in BOP
1425122Security Note: Generic Table Access
1424714Missing Authorization Check in TA /SAPAPO/AMON2
1423936Missing authority check in Supply Chain Cockpit/Engineer
1423413Authorization check for FI-CA transactions FP03F/FP03L/FP03H
1423059
1422737
1422572Unauthorized change of displayed contents
1421432Security problems due to dynamic SQL
1421005Secure configuration of the message server
1420623MOpz: Potential information disclosure relating to passwords
1420281CO-OM tools: SE16N: Deactivating &SAP_EDIT
1419261Error during Credit card Encryption not propagated in TR BP.
1418848Authorization check for S_RFC_ADM in RSRFCPIN and RSRFCCHK
1418032
1418031
1417696Unauthorized modif. of displayed content in MIC start page
1417568
1415665
1415547Security corrections ST-SER 2008.2
1415148Missing Input Validation in Business-Explorer
1414444sapstartsrv unstable
1414256Changing TMSADM password is too complex
1414112Security: Buffer overflow
1414089Potential disclosure of authentication information in XI
1414059Missing authorization check in a BW report
1411818Handling Authorization concerns due to Note1030838 & 1381945
1411701Generic ABAP function calls
1411659
1410798Missing logging in transactn for totals document correction
1409234Security:Actions can be executed/transactions can be started
1409141Missing authority check in Data Consistency Framework
1407896Missing authority check in Checktool within ECC
1407841Dynamic Report Generation, Arbitrary Value Processing
1406435
1392352Security note: Cross-site scripting
1388864
1387576CO-OM tools: SE16N: Authorization checks in view maintenance
1387574Possible SQL injection in Persistence Service
1375125Report BEFG_TEMPLATE_CREATE must not be used in production
1363631BADI BUPA_F4_AUGRP does not filter BP's in search
1363371FS-CD: Missing authorization checks SAPRGEN_CD
1362972Industry Solution Migration Workbench: Authorization check
1361038Report RJ-JXINI generates unnecessary source code
1357370No authorization check for editor
1355614IS-M/ PMD: Obsolete source code in master data generator
1343029
1342183Security information: Transaction FIAAHELP
1340457Security Note: Encoding fix for technical hidden fields
1339620Security note:Cross Site Scripting (XSS) in cFolders
1339326F&R: Remove hardcoded user name branches in code (security)
1336947Security correction: Username hard coded
1335926Some Fields are susceptible to Cross-site scripting
1335103Security correction: removal of hardcoded user names
1334396Security Checks: Removal of hardcoded user names
1334244Some Fields are susceptible to Cross-site scripting.
1333668Security Checks: Model Mix Planning
1330776Security note: Files transferrable to EPS inbox w/o auth.
1329090Security Note: Deactivate parameter sap-wd-ssrConsole
1327917Authorizatn check for transactions FPSEC1/FPSEC2/FPSEC3
1315883
1310174Authority check missing
1306604/SAPAPO/MC62 authorization for creating CVCs
1304803Security note: Changing a transport without authorization
1302928Field Level Authorizations Not Being Checked in CASE
1298433Bypassing security in reginfo & secinfo
1298160Security note: Forbidden program execution possible
1294675Location: Authorization Check for Planning Version
1294431Anchor links are generated with unwanted HTTP href address
1292875Security note:Cross Site Scripting (XSS) in cFolders
1287570BBP_QUOT: Cross-Site Scripting ( XSS )
1284360Security Note: Cross Site Scripting (XSS) in cFolders
1275278Security: HTML Encoding missing over the inputField tooltip
1271688Security: Authorization check for technical help
1267878Cross-site scripting error in BBP_POC
1265043S_TCODE Authority check on T000 by SM30
1262016Missing authority check in APO transaction.
1261319Help Center user name in the URL
1259881Prevent "Webadmin" task from system admin
1259414Cross Site Scripting:PCUI Stored JavaScript Vulnerability
1243004Security Note: Missing SYSLOG entries for ABAP Debugging
1235367Missing authority check in APO transaction.
1232490Authorization check SE80 for where-used list
1229303Security note: Security gap in ACO_BSP_ADMIN
1224599WDP: Performance problems or increase in handle consumption
1170353Security update: SAP Web Dispatcher
1168813Security note: Program DISPLAY_FUNC_INCLUDE
1167258Security note: Program RS_REPAIR_SOURCE
1161689Security note: aco_bsp_admin: Start only with ICF auth.
1159009Security Note:RSDB2CMD switched to RSBDCOS0
1158063P18:Security Note:RSSM_EXEC_COMMAND converted to RSBDCOS0
1151557Security: External theme root not html escaped
1146690Security Note: Passwords in SLD ABAP API
1145873Security note: Security problem with FileDownload
1143177Cache settings incorrect for WebDynpro ABAP
1142067Missing authorization check for hidden functions
1136823SOBJ: Display of object directory permits changes
1136770Security note: ICF system login
1133739
1129536SCMA - Missing authorization check in Schedule Manager
1120760
1115699CO-OM Tools: SE16N: Adapting to SE16
1085326Security Note: Check for 'System -> Status' (SE80)
1072946Gateway: Bypassing monitor commands
1060643Security note: Hijacking/sys. login: New login after refresh
1058531BBPSC: Cross-site scripting error
1022102Executing JavaScripts in logon data
957038Security gap in cross-site scripting