Solution : https://service.sap.com/sap/support/notes/1266780 (SAP Service marketplace login required)
Summary :
If you copy and send URLs that contain an active session identifier, the recipient can execute these URLs, posing a security risk. This vulnerability is due to SAP's system processing requests from an established session without rechecking the SAP logon ticket. To mitigate this, SAP now offers a correction where the logon ticket is verified at each request if configured to exclusively use SAP logon tickets for Single Sign-On (SSO). This involves activating a kernel patch and setting specific system profile and ICF configurations to enable service-specific checks. The system rejects any requests that do not comply with these security checks, logging respective errors.
Key words :
service-specific cookie check activated, required kernel patch results, kernel switch icf/ssocookie_mandatory = 1, kernel parameter icf/ssocookie_mandatory, sap logon ticket, sap logon tickets, call transaction sicf, icf/ssocookie_mandatory = 1only, timeout short dumps, error page specific
Related Notes :
| 1532874 | Upgrade: Changing the HTTP reauthentication |
| 1532777 | |
| 1521197 | Update #1 to Security Note 1517094 |
| 1517094 | CRM-IC: Session Access Token |
| 1465838 | User check of HTTP request in ABAP 700/kernel 720 |
| 1420203 | Enable foreign access to a stateful HTTP session |
| 1396332 | SRM: Issues caused by note 1266780 |
| 1374166 | Work process terminates with TIME_OUT with SSOMANDATORY |
| 1334907 | ICF, HTTPONLY flag for ICF cookies |
| 1325243 | ITS Up/down: not working if user recheck is enabled |
| 1277022 |