Solution : https://service.sap.com/sap/support/notes/888889 (Connexion à SAP Service Marketplace requise)
Résumé :
La note SAP décrit l'implémentation et l'utilisation de l'outil RSECNOTE pour évaluer le statut de mise en œuvre des notes de sécurité dans les systèmes SAP. RSECNO TE, faisant partie du composant logiciel ST-A/PI à partir de la release 01M_*, évalue si les mises à jour de sécurité essentielles, représentées par les notes SAP et les HotNews, sont appliquées. La note propose une solution aux problèmes tels que la fonctionnalité partielle due à la non-implémentation de la Note 888889 et l'absence de l'outil RSECNOTE dans le système. La solution inclut les instructions d'installation pour RSECNOTE via SNOTE, les ajustements des paramètres de transactions, les autorisations utilisateur, et les directives opérationnelles pour maintenir la conformité à la sécurité du système.
Mots Clés :
s_tcode tcd st13 s_admi_fcd s_admi_fcd st0r s_ptch_adm table ', object key r3tr tabu /ssf/ptab, tool rsecnote checks security-relevant notes, required security-relevant sap notes, component security-check actvt 02, required security-relevant notes, sap earlywatch alert report, sap_basis release 620 support package 55, sap_basis release 640 support package 13, quick link /note-assistant
Notes associées :
1572714 | Missing Authorization Check in Profile Parameter Handling |
1572346 | Hard-coded credentials in ABAP Test Cockpit |
1572345 | Hard-coded credentials in ABAP Task Handler |
1570717 | Hard-coded credentials in ABAP Workbench |
1570374 | Missing Authorization Check in Package Builder |
1569300 | Potential Denial of Service in translation tools funct. |
1568674 | Code injection vulnerability in CRM_UBB_LAE_EDIT_CONTENT |
1567882 | Missing authorization check in BW RFC |
1567747 | |
1567630 | Unauthorized modification of displayed content in BC-DOC-TTL |
1565444 | Missing authorization check in Output Server |
1565397 | Unauthorized modification of content in BSP DSWP_URL_LAUNCH |
1561545 | Update #2 to Security Note 1531669 |
1560649 | Hard-coded credentials in BCS |
1560605 | Unauthorized modification of stored content in ST |
1557197 | Missing authorization check in portal connection |
1556749 | Unauthorized execution of functions in SAP system |
1554030 | Missing authorization check in fumo EPS_DELETE_FILE |
1553872 | |
1553868 | |
1553184 | |
1553043 | |
1552504 | |
1551544 | |
1549999 | Missing authorization check in the workflow analysis |
1547271 | Missing authorization check in RFC with call transaction |
1543318 | Potential remote termination of running processes in kernel |
1542645 | Users with hardcoded name & password created in BC-DOC-TER |
1538382 | |
1537753 | Missing Authorization Check in LO-MAP |
1536640 | WebReporting:Unauthorized modification of displayed content |
1536491 | ALE: Missing authorization check in ALE monitoring tool |
1536091 | Missing Authorization Check in Change logs component. |
1533470 | Missing authorization check in Cash Management |
1531752 | |
1531669 | Missing Authorization Check |
1530392 | Missing Authorization Check in SW-Delivery tools |
1529573 | |
1528863 | |
1528822 | Missing authorization check in WebReporting |
1525695 | Update #1 for Note 587410: Missing Authorization Check SE37 |
1525328 | Potential information disclosure by the message server |
1523808 | Missing authorization check in CATT or eCATT |
1521786 | |
1520781 | |
1520462 | Unauthorized call of operating system command |
1520043 | RFC call cat_r2_tab_res without authorization |
1518682 | |
1514385 | |
1513952 | Missing Authorization Check in AP-PPE-SCM |
1512134 | Unauthorized modification of displayed content in ITS |
1511436 | Code injection vulnerability in Relationship and Reliability |
1511107 | Executing freely determined code using transaction SE37 |
1510704 | Missing Authorization Check in AFX Workbench report |
1507903 | |
1504090 | |
1504016 | |
1503375 | ED: Code injection vulnerability in functionality 'Other' |
1502781 | Unauthorized modification of displayed content in BSP |
1499901 | Executing arbitrary code with RSNROGEN |
1499051 | DBACockpit: Weak authorization checks in SQL Command Editor |
1498913 | PFO : Authority check for business object |
1497622 | EC-EIS: Loading any source code using FM KXXC_DOWNLOAD |
1497104 | |
1496092 | Unauthorized read-access to database |
1495570 | Security: Execution of any source code |
1494046 | Code injection vulnerability in time rule programm |
1493911 | Missing Authorization Check in SW-Delivery tools |
1493634 | Transaction calls from reporting |
1493516 | |
1493101 | Code injection vulnerability in FERCC001 |
1492434 | Executing arbitrary code using report RIWP_VIEW_GENERATE |
1490437 | Corrections for ST-PI |
1488159 | |
1488057 | |
1488038 | Unauthorized usage of test tool of system login |
1487330 | |
1487212 | |
1486918 | Code Injection vulnerability in CRM-ACP-APL |
1484930 | Saved data may be disclosed and changed |
1484918 | |
1484743 | Hard-coded logon information in CL_CRM_ISU_ORDE... |
1484712 | Directory traversal in CRM_EDR_UPLOAD_DATA/-DOWNLOAD_DATA |
1484711 | Unauthorized change of displayed contents in IUBOTRCP |
1484709 | Unauthorized change of displayed contents in CRM_ITIC |
1482118 | Unauthorized change to data displayed in BPS planning |
1481802 | |
1481405 | Hard-coded credentials in RFBYPASS |
1481254 | Program generator performance RE-FX |
1480653 | |
1479762 | Missing authority check in SAP_RSADMIN_MAINTAIN |
1479310 | EC-PCA: Using FM ZPCA_UPLOAD to load any source code |
1478978 | |
1478860 | |
1478756 | Executing any source code in CO-PC reporting |
1478420 | FPE2M: Missing Authorization Check |
1475481 | Unauthorized modification of stored content in signature BSP |
1474853 | BCE: Secure Business Content Environment |
1473520 | Missing authorization check in coinsurance reporting |
1472807 | Hard-coded credentials in BRF |
1472395 | Unauthorized change of stored contents (agency collections) |
1470854 | |
1470350 | |
1470094 | Authorization check in report H99_B2AFILE missing |
1469982 | |
1469845 | Missing authorization check in RMA |
1469707 | |
1469549 | RFC: Work processes terminate in the XML parser |
1467896 | Unauthorized use of application functions in ICM |
1466156 | Missing Authorization Check in a BTE application |
1465138 | Change mode in SAT / SE30 "Tips & Tricks" |
1463392 | |
1463037 | Hard-coded credentials in Class /FRE/FU_CL_TS_SERVICES |
1462417 | Missing authorization check in RFC module |
1462348 | |
1460043 | Unsuitable authorization check in transaction SE24 |
1458820 | |
1456569 | |
1453938 | Potential information disclosure relating to WebDynpro ABAP |
1453655 | |
1453605 | Potential information disclosure relating to ECC and SAP R/3 |
1453604 | Potential information disclosure relating to ECC and SAP R/3 |
1453541 | Potential information disclosure relating to ECC and SAP R/3 |
1453457 | WebReporting: Unauthorized modification of displayed content |
1453164 | Missing authorization check in module of upgrade |
1452661 | Code injection vulnerability in ECC PT PSM-FM Add-On |
1451581 | Logging of configuration changes not enabled |
1450270 | Unauthorized modification of displayed content in BSP |
1450128 | |
1449574 | Function module for reading batch input files |
1449516 | CRM Pharma: Log data changes in tables |
1447671 | Cross Site Scripting in BSP |
1447622 | Cross Site Scripting in BSP |
1446869 | Activate configuration logging for DAM tables |
1446276 | CTC: Table White Lists and Authorization Checks |
1445407 | Program can be used by specific users |
1443973 | WDA: Application configurations |
1443934 | |
1442580 | Potential disclosure of authentication information |
1442498 | Information obtainable about Web Dynpro ABAP applications |
1441953 | Logon data can be discovered: XSS |
1441945 | Authorization check incomplete in XI/PI administration |
1440345 | Load balancer reveals backend server information |
1439983 | Disable S_TCC_* functions for heightened security |
1437237 | Explicitly coded user names in Web Dynpro |
1437224 | RMA: Security standard is not implemented |
1436936 | Unauthorized changes can be made to Web Dynpro ABAP session |
1435655 | Number of cryptographic bits increased in sap-contextid |
1431790 | Security fixes for SRM Legal Contract Authoring Duet applica |
1431615 | User-defined message search: Authorization for test |
1430970 | |
1429954 | Hardcoded usernames in SCC |
1429301 | Missing authority check in APO transaction |
1429198 | Missing authorization check in RSUDO for "Execute as" |
1428998 | Missing authority check in Demand Planning transaction |
1428526 | Hardcoded usernames in APO |
1428034 | CLP: Missing Authorization Checks |
1427914 | Security Note : Leftover Debug Code |
1427010 | |
1427009 | |
1427008 | |
1426388 | |
1425215 | Security Note Missing Authority Check for Call Transaction |
1425123 | Missing authority check in BOP |
1425122 | Security Note: Generic Table Access |
1424714 | Missing Authorization Check in TA /SAPAPO/AMON2 |
1423936 | Missing authority check in Supply Chain Cockpit/Engineer |
1423413 | Authorization check for FI-CA transactions FP03F/FP03L/FP03H |
1423059 | |
1422737 | |
1422572 | Unauthorized change of displayed contents |
1421432 | Security problems due to dynamic SQL |
1421005 | Secure configuration of the message server |
1420623 | MOpz: Potential information disclosure relating to passwords |
1420281 | CO-OM tools: SE16N: Deactivating &SAP_EDIT |
1419261 | Error during Credit card Encryption not propagated in TR BP. |
1418848 | Authorization check for S_RFC_ADM in RSRFCPIN and RSRFCCHK |
1418032 | |
1418031 | |
1417696 | Unauthorized modif. of displayed content in MIC start page |
1417568 | |
1415665 | |
1415547 | Security corrections ST-SER 2008.2 |
1415148 | Missing Input Validation in Business-Explorer |
1414444 | sapstartsrv unstable |
1414256 | Changing TMSADM password is too complex |
1414112 | Security: Buffer overflow |
1414089 | Potential disclosure of authentication information in XI |
1414059 | Missing authorization check in a BW report |
1411818 | Handling Authorization concerns due to Note1030838 & 1381945 |
1411701 | Generic ABAP function calls |
1411659 | |
1410798 | Missing logging in transactn for totals document correction |
1409234 | Security:Actions can be executed/transactions can be started |
1409141 | Missing authority check in Data Consistency Framework |
1407896 | Missing authority check in Checktool within ECC |
1407841 | Dynamic Report Generation, Arbitrary Value Processing |
1406435 | |
1392352 | Security note: Cross-site scripting |
1388864 | |
1387576 | CO-OM tools: SE16N: Authorization checks in view maintenance |
1387574 | Possible SQL injection in Persistence Service |
1375125 | Report BEFG_TEMPLATE_CREATE must not be used in production |
1363631 | BADI BUPA_F4_AUGRP does not filter BP's in search |
1363371 | FS-CD: Missing authorization checks SAPRGEN_CD |
1362972 | Industry Solution Migration Workbench: Authorization check |
1361038 | Report RJ-JXINI generates unnecessary source code |
1357370 | No authorization check for editor |
1355614 | IS-M/ PMD: Obsolete source code in master data generator |
1343029 | |
1342183 | Security information: Transaction FIAAHELP |
1340457 | Security Note: Encoding fix for technical hidden fields |
1339620 | Security note:Cross Site Scripting (XSS) in cFolders |
1339326 | F&R: Remove hardcoded user name branches in code (security) |
1336947 | Security correction: Username hard coded |
1335926 | Some Fields are susceptible to Cross-site scripting |
1335103 | Security correction: removal of hardcoded user names |
1334396 | Security Checks: Removal of hardcoded user names |
1334244 | Some Fields are susceptible to Cross-site scripting. |
1333668 | Security Checks: Model Mix Planning |
1330776 | Security note: Files transferrable to EPS inbox w/o auth. |
1329090 | Security Note: Deactivate parameter sap-wd-ssrConsole |
1327917 | Authorizatn check for transactions FPSEC1/FPSEC2/FPSEC3 |
1315883 | |
1310174 | Authority check missing |
1306604 | /SAPAPO/MC62 authorization for creating CVCs |
1304803 | Security note: Changing a transport without authorization |
1302928 | Field Level Authorizations Not Being Checked in CASE |
1298433 | Bypassing security in reginfo & secinfo |
1298160 | Security note: Forbidden program execution possible |
1294675 | Location: Authorization Check for Planning Version |
1294431 | Anchor links are generated with unwanted HTTP href address |
1292875 | Security note:Cross Site Scripting (XSS) in cFolders |
1287570 | BBP_QUOT: Cross-Site Scripting ( XSS ) |
1284360 | Security Note: Cross Site Scripting (XSS) in cFolders |
1275278 | Security: HTML Encoding missing over the inputField tooltip |
1271688 | Security: Authorization check for technical help |
1267878 | Cross-site scripting error in BBP_POC |
1265043 | S_TCODE Authority check on T000 by SM30 |
1262016 | Missing authority check in APO transaction. |
1261319 | Help Center user name in the URL |
1259881 | Prevent "Webadmin" task from system admin |
1259414 | Cross Site Scripting:PCUI Stored JavaScript Vulnerability |
1243004 | Security Note: Missing SYSLOG entries for ABAP Debugging |
1235367 | Missing authority check in APO transaction. |
1232490 | Authorization check SE80 for where-used list |
1229303 | Security note: Security gap in ACO_BSP_ADMIN |
1224599 | WDP: Performance problems or increase in handle consumption |
1170353 | Security update: SAP Web Dispatcher |
1168813 | Security note: Program DISPLAY_FUNC_INCLUDE |
1167258 | Security note: Program RS_REPAIR_SOURCE |
1161689 | Security note: aco_bsp_admin: Start only with ICF auth. |
1159009 | Security Note:RSDB2CMD switched to RSBDCOS0 |
1158063 | P18:Security Note:RSSM_EXEC_COMMAND converted to RSBDCOS0 |
1151557 | Security: External theme root not html escaped |
1146690 | Security Note: Passwords in SLD ABAP API |
1145873 | Security note: Security problem with FileDownload |
1143177 | Cache settings incorrect for WebDynpro ABAP |
1142067 | Missing authorization check for hidden functions |
1136823 | SOBJ: Display of object directory permits changes |
1136770 | Security note: ICF system login |
1133739 | |
1129536 | SCMA - Missing authorization check in Schedule Manager |
1120760 | |
1115699 | CO-OM Tools: SE16N: Adapting to SE16 |
1085326 | Security Note: Check for 'System -> Status' (SE80) |
1072946 | Gateway: Bypassing monitor commands |
1060643 | Security note: Hijacking/sys. login: New login after refresh |
1058531 | BBPSC: Cross-site scripting error |
1022102 | Executing JavaScripts in logon data |
957038 | Security gap in cross-site scripting |