layer seven security · pdf filesrm and areas of the netweaver ... 1678581 crm-bf-brf-rm...
TRANSCRIPT
SAP Security NotesMay 2012
Layer Seven Security
AD
VIS
OR
Y
There are two startling facts about SAP Security Notes released in May. The first is the sheer number of Notes issued by SAP, 257 to be exact. In comparison, March and April had just 46 and 33, respectively. The second is that almost 90 percent of the Notes were designed to provide greater protection for SAP systems against cross-site scripting attacks (XSS). There are several forms of XSS including stored, targeted at servers, and reflected, usually targeted at the client browser. The SAP patches released in May deal with both types of vulnerabilities.
XSS is the most prevalent Web application security flaw and the most popular attack vector used by hackers. It works through the injection of malicious scripts into input fields used by Web applications. Encryption provides no defense against XSS. It merely encrypts the attack. XSS can be combated through a combination of code reviews (most XSS flaws can be detected by a trained eye) and input/ output validation. For the latter, refer to the OWASP XSS Prevention Guide at www.owasp.org. Vulnerability scanners such as those used by SAPSCAN greatly help with the detection of known XSS flaws in SAP systems. You can learn more about SAPSCAN at http://layersevensecurity.com/sapscan.html.
SAP components are especially vulnerable to XSS since many rely upon Web-based (HTTP) communication. This includes SAP Business Suite software such as CRM and SRM and areas o f the NetWeaver technology platform including the Enterprise Portal. Successful attacks can bypass SAP access controls and compromise the underlying data in such systems.
Before installing the May patches, SAP customers should install the new encoding library introduced in Note 1601461 (refer to Notes 1582870 and 1582867). Customers should also update Business Server Pages (BSP) (Notes 1687915, 1640092 and
SAP Security NotesMay 2012
1671470) and the Internet Transaction Server ( ITS) (Notes 1488500 and 1621946). For more detailed instructions, follow the SAP checklist available at the SAP Marketplace.
SAP also introduced a critical patch for certain Kernel functions in the month of May. The Kernel lies at the core of SAP systems and contains executable (.exe) files that support the so-called runtime environment. The Kernel is an abstraction layer between SAP systems and the underlying operating system and database layers. It supports the interoperability of SAP systems by enabling SAP to work with almost any enterprise-level OS and DB.
Security Note 1682505 patches a high-risk vulnerability effecting Transport Tools (BC-CTS-TLS) in the Kernel. Transport Tools includes utilities used to control releases and transfer data between SAP systems. This includes programs such as tp and R3trans that are called upon by the Change and Transport System (CTS) and Transport Management System (TMS). Missing authorization checks in this part of the Kernel could enable some users to access sensitive functions through the escalation of privileges.
SAP Security Notes by Vulnerability Type
PRIORITY NOTE AREA DESCRIPTION
1
1
1
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1682505 BC-CTS-TLS Missing authorization check in KERNEL
1716165 BC-JAS-SEC Update 1 to security note 1651004
1631354 BC-JAS-SEC-UME Update 1 to Security Note 1616058
1715626 BC-BSP Update 1 to security note 1591427
1680413 CRM-BF-TM Unauthorized modification of displayed content in CRM-BF-TM
1680142 CRM-IC-ADR Unauthorized modificat. of displ. content in CRM-IC-ADR
1680716 XAP-MBA-DSD Unauthorized modification of displayed content in MDSD Admin
1684713 IS-M Unauthorized modification in ITS-Services in IS-M
1684640 IS-M Unauthorized modification in BSP applications in IS-M
1684344 CRM-IC-FRW Unauthorized modification of displayed content in IC_BASE
1683913 PP-MES Unauthorized modification in SICF-services in PP-MES
1683397 PPM-PRO Unauthorized modification of displayed content in PPM-PRO
1683291 CA-GTF-SP-GEN Unauthorized modification in CA-GTF-SP-GEN
1682810 SLC-REG Unauthorized use of application functions in SLC-REG
1682611 CRM-IPS-BTX Unauthoried modification in BSP application in CRM-ISP-BTX
1682360 CRM-MKT-SEG-IEX Unauthorized modification of displayed content in CRM_MKTIME
1682054 SRM-SUS Unauthorized modification of displayed content in SRM-SUS
1681906 SRM-EBP-BID Unauthorized modification of displayed content in SRM-EBP
1681887 CRM-BF-CFG Unauthorized modification of displayed content in IPC UI
1677037 CRM-IFS Unauthorized modification of displayed content in CRM-IFS
1676981 EP-PCT-PUR-BP Unauthorized modification in BSP applicat. of EP-PCT-PUR-BP
1676934 SRM-EBP-CA-ATT Malicious modification of SRM attachment url.
1676849 CRM-MD-PRO-OBJ Unauthorized modification of BSP in CRM-MD-PRO-OBJ
Appendix: SAP Security Notes, May 2012
PRIORITY NOTE AREA DESCRIPTION
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1676848 CRM-IC-OBJ Unauthorized modification of BSP in CRM-IC-OBJ
1676846 CRM-MD-PRO Unauthorized modification of BSP in CRM-MD-PRO
1676754 IS-A-DP-VMS Unauthorized modification of BSP in Webdocuments
1676753 IS-A-DP-SPP Unauthorized modification of BSP in Webdocuments
1676722 IS-A-DP-WTY Unauthorized modification of BSP in Webdocuments
1676678 FS-CD Unauthorized change of contents displayed in agency collctns
1676514 CRM-BTX-PRV-DUI Unauthorized modificat. of displ. content in CRM-BTX-PRV-DUI
1676480 EP-PCT-MGR-CO Unauthorized modification in BSP appl. in EP-PCT-MGR-CO
1676479 CO-OM Unauthorized modification in BSP application in CO-OM
1676473 EP-PCT-SD-S XSS: Source code commented out incorrectly on BSP pages
1676293 SRM-EBP-CAT Unauthorized modification of displayed content in SRM-EBP
1676236 PA-ER Unauthorized modification of stored content in E-Recruiting
1677068 PLM-PPM-PDN Unauthorized modification of displayed content inPLM-PPM-PDN
1679963 CRM-IC-EMS Unauthorized modification in BSP application in CRM-IC-EMS
1679689 SRM-ROS ROS: Unauthorized modification in BSP application
1679401 CRM-MKT-MPL-CA Unauthorized modification in BSP application CRM-MKT-MPL-CA
1679172 CRM-BF-SVY Unauthorized modification in BSP application in CRM-BF-SVY
1679032 CRM-CHM Unauthorized modification of displayed content in CRM-CHM
1678715 CRM-BTX-ACT Unauthorized modification in CRM e-Mail Activity
1678643 FIN-SEM-CPM-BSC Unauthorized modification in BSP application in FIN-SEM-CPM
1678581 CRM-BF-BRF-RM Unauthorized modification in CRM Rule builder(CRM-BF-BRF-RM)
1678243 CA-DMS Unauthorized modification of BSP in Webdocuments (2)
1678055 CRM-IPS-ICM-ACT Unauthorized modification of displayed content in ICM e-mail
1677810 IS-U-WA Unauthorized modification in ITS-Service in IS-U-WA
1677766 PP-KAB Unauthorized modification in ITS-Service in KANBAN
1677486 SCM-APO-CA-COP Unauthorized modification in ITS-Service in SCM-APO-CA-COP
1677475 PA-ER Unauthorized use of application functions in HRRCF_START_EXT
1677413 PPM-PRO Unauthorized modificatn of displayed content in PPM-PRO (1)
Appendix: SAP Security Notes, May 2012
PRIORITY NOTE AREA DESCRIPTION
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1677194 BW-BCT-ISR-AA Unauthorized modif. of stored content in RSBCT_RFASH_ALI
1694075 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(9)
1694074 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(8)
1694062 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(7)
1694061 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(6)
1694060 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(5)
1694059 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(4)
1694057 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(3)
1694056 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(2)
1693480 BC-FES-ITS Unauthorized modification of displayed content in ITS
1693219 CRM-BF-WST Unauthorized modification of content in WS_DESIGN_TOOL
1692352 CRM-MD-BP-CCP Unauthorized modification of the content in CRM-MD-BP-CCP
1698421 CRM-MKT-SEG-TGR Unauthorized modification of displayed content in CRM_MKT
1698889 CA-GTF-PCF Unauthorized modification of displayed content in CA-GTF-PCF
1699074 CRM-IT Unauthorized modification of stored content in CRM_IT_DEALER
1690118 CRM-BTX-BF Unauthorized modification in CRM Business Transactions
1696538 CRM-IC-FRW Unauth. mod. of displayed content in Interaction Center Frw.
1695596 IS-U-CS Unauthorized modification of stored content in IS-UT
1695324 CRM-IC-SCR Unauthorized modification of displayed content in CRM-IC-SCR
1695059 CRM-BF-ML Unauthorized modification of displayed content in CRM Email
1695039 CRM-BF Unauthorized modification of displayed content in CRM_BSP
1694952 CRM-MKT Unauthorized modification of displayed content in CRM-MKT
1697160 SCM-BAS-UIF Unauthorized modification of displayed content in ICH
1694662 BC-CCM-MON-SLG Directory Traversal in SAP System Log
1697723 CRM-IC-ABO Unauthorized modification of displayed content in CCMP_RABOX
1694226 BW-PLA-BPS-WIB Unauthorized execution of application funcs. in BW-PLA-BPS
1694081 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(14
1694080 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(13
Appendix: SAP Security Notes, May 2012
PRIORITY NOTE AREA DESCRIPTION
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1694078 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(12
1694077 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(11
1694076 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(10
1690079 BW-BCT-CRM Unauthorized modification in BSP applications in BW-BCT-CRM
1687722 PPM-PRO Unauthorized modification of displayed content in PPM
1687668 PE-LSO-LPO Unauthorized modification in BSP application in PE-LSO-LPO
1687477 CA-GTF-IC-SCR Unauthorized modification in BSP in CA-GTF-IC-SCR 3
1687426 CA-GTF-IC-SCR Unauthorized modification in BSP in CA-GTF-IC-SCR 1
1686829 PA-EC-JP Unauth. modification of displayed content in Job Pricing
1686828 PA-EC-BD Unauth. modification of displayed content in Budgeting
1686821 SLC-SUP Unauthorized modification of displayed content in SLC-SUP
1686703 CRM-CIC-CAM Unauthorized modification of content in CRM-CLM applications
1686627 PPM-PFM Unauthorized modification on document url in PPM
1686573 CRM-CIC Unauthorized modification of content in CRM-CIC applications
1686234 PA-PD-PM Unauthorized modification of stored content in PA-PD-PM
1685251 XX-PROJ-FI-CA Unauthorized modification of BSP in FI-CA
1685062CRM-MKT-MPL-CA-BRE
Unauthorized modification in CRM-MKT-MPL-CA-BRE
1685036 CRM-BTX-GWI Unauthorized modification of stored content in CRM-BTX-GWI
1685003 EPM-BFC-TCL Potential remote code execution in Financial Consolidation
1689963CRM-MKT-MPL-CA-MOD
Unauthorized modification in CRM-MKT-MPL-CA-MOD
1689843CRM-MKT-MPL-CA-BRE
Unauthorized modification in component CRM-MKT-MPL-CA-BRE
1689083 CRM-ANA-SRV-BW Unauthorized modification of disp. content in CRM-ANA-SRV-BW
1689009 EP-PCT-MAN-M Unauthorized modification in BSP application in PlantManager
1688768 CRM-IC-ABO Unauthorized modification of content in CRM_CIC_RABOX
1699418 BC-BSP Unauthorized modification of displayed content in BSP
1688660 BW-BCT-EPM Unauthorized modification of stored content in BI_CONT
1700195 BW-BCT-PSM Unauthorized modification of displayed content in BW-BCT-PSM
Appendix: SAP Security Notes, May 2012
PRIORITY NOTE AREA DESCRIPTION
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1700620 FIN-SEM-CPM Unauthorized modification of displayed content in FIN-SEMCPM
1688518 FS-BA-TO-ME code injection vulnerability in module editor
1701662 CA-SUR Unauthorized modification of displ content in Web Request
1688421 BC-SEC-SSF Unauthorized modification of displayed content in BSP apps.
1702304 PA-EC-BD Unauthorized modification displayed content ECM_BSP_LIBRAY
1687962 CRM-BTX-ACT Unauthorized modification of displayed content in Calendar
1687910 BC-ABA-SC Potential denial of service in DIAG Processor
1676211 CA-GTF-IC-BRO Unauthorized modification in BSP in CA-GTF-IC-BRO
1658759 BW-BEX-ET-WEB Directory traversal with unauthorized modification in BW
1657275 FI-FM Missing authorization check in FI-FM
1657210 CRM-ISE-SRE Unauthorized mod. of displayed content in Web.Req. toolbox
1656918 CRM-ISE-WBF Unauthorized mod. of displayed content in UAD_xx
1656658 BC-DWB-WD-ABA Unauthorized modification of displayed content in Web Dynpro
1655538 PA-PA-JP Unauthorized modification in ITS-Service
1655428 PA-PA-KR Unauthorized Modification in ITS-Service in PA-PA-KR
1655298 BC-FES-GUI Generic low level functionality in SAP GUI
1654574 CRM-BTX-ERP Unauthorized modification of content in configuration
1654492 CRM-BTX-BF-ATP Unauthorized modification of content in gATP pop-up
1653474 BC-WD-JAV Unauthorized Modification of Displayed Content in Web Dynpro
1653473 EP-PDK-HBJ Unauthorized Modification of Displayed Content in HTMLB
1653127 CRM-BF-WFI Unauthorized modification in SICF-service in CRM-BF-WFI
1652708 CRM-BTX-ERP Unauthorized modification of content in ERP print preview
1652707 CRM-BF-ACI Unauthorized modification of content in order print preview
1650819 SLL-LEG-CUS Cross-Site-Scripting (XSS) in GTS Dashboard possible
1658926 CRM-BF-COM Unauthorized modification of displayed content in CRM CM
1661838 CA-GTF-PCF Unauthorized modification of stored content in CA-GTF-PCF
1661780 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(1)
1661698 BW-BEX-ET Unauthorized modification of displayed content in BW-BEX-ET
Appendix: SAP Security Notes, May 2012
PRIORITY NOTE AREA DESCRIPTION
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1661568 SRM-SUS Unauthorized modification in BSP application/SICF Service
1661411 FI-TV-PL Unauthorized modification of displayed content in FI-TV-PL
1661065 CRM-BF-COM Unauthorized modification of displayed content in CRM CM
1661016 CRM-MKT-DAM Unauthorized modification of BSP in CRM-MKT-DAM
1660926 CRM-BF-COM Unauthorized modification of displayed content in CRM CM
1660855 CRM-BF-ML Unauthorized modification of displayed content in CRM Email
1660718 IS-M-AMC Cross site scripting vulnerability in BSP pages for AMC
1660428 BC-SRV-RM Unauthorized modification of stored content in BC-SRV-RM
1660337 SRM-EBP-CON Unauthorized modification of stored content in SRM-EBP-CON
1659640 PA-PA-CN Security: XSS vulnerability in SAP GUI for HTML
1659560 CRM-ISE-WBF Unauthorized mod. of displayed content in CRM-ISE-WBF
1659519 CRM-BF-ML Unauthorized modification of displayed content in CRM Email
1659045 CRM-BF-ML Unauthorized modification of displayed content in CRM EMAIL
1659015 CA-EPT-ANL-LST URL in Launchpad-Navigation can be malformed
1610923 BC-SRV-SSF Unauth. modification of displayed content in BC-SRV-SSF
1610668 BC-SRV-GBT-ALM Unauthorized modif. of displayed content in BC-SRV-GBT-ALM
1610237 CRM-ANA-PS Unauthorized modification of displayed content in BW-CRM
1609808 BC-SRV-KPR-RET Unauthorized modification of displayed content in BC-SRV-KPR
1609546 BC-SRV-RM Unauthorized modification of stored content in BC-SRV-RM
1609289 BC-MOB-MI Unauthorized modification of displayed content in BC-MOB-MI
1608934 BC-DOC-TER Potential loss of integrity in web app Terminology Tools
1608651 PA-PD-PM Unauthorized modification of stored content in PA-PD-PM
1600317 BC-BSP Unauthorized modification of displayed content in BSP
1597489 SCM-EWM-RF Unauthorized use of application functions in SCM-EWM-RF
1597066 BW-BEX-OT-MDX MDX: SOAP / XMLA interface and Document Type Definitions
1590866 BC-MOB-MI Unauthorized modification of displayed content in BC-MOB-MI
1590341 BC-MID-ICF Unauth. modification of displayed content in ICF Recorder
1589215 IS-CC Potential modification of persisted data in SAP CC
Appendix: SAP Security Notes, May 2012
PRIORITY NOTE AREA DESCRIPTION
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1565781 EP-PCT-PUR-BP Buyer: Sec. note for cross-site scripting & BSP applications
1341333 BC-DB-SDB Potential info. disclosure and code execution in sapdbctrl
1612819 CA-GTF-TS-WSI Unauthorized modification of stored content in CA-GTF-TS-WSI
1649117 BC-WD-ABA Unauthorized modification of displayed content in WebDynpro
1644876 FS-CD Unauthorized modification of displayed content agency coll.
1638718 BC-BSP XSS vulnerability in BSP system
1637338 BC-WD-UR Unauthorized modification of displayed content in UR
1632687 CA-GTF-IC-SCR Unauthorized modification in BSP in CA-GTF-IC-SCR 2
1629474 BC-BSP Unauthorized modification of displayed content in BSP pages
1628849 CA-WUI-UI-TAG Unauthorized modification of stored content in WEBCUIF
1626152 CRM-ISA Potential runtime problems after manipulation of isa_relogin
1624142 BC-SRV-ARL Unauthorized modification of stored content in BC-SRV-ARL
1615941 EP-PIN Portal XSS Encoding Library - StringUtils
1615019 BI-BIP-CMC Unauthorized modification of displayed content in BOE
1614834BC-ESI-WS-ABA-CFG
Unauthorized modification of displayed content in UDDIClient
1614750 PLM-CFO Update #2 to Security Notes 1466863
1613163 PLM-CFO Update #2 to Security Notes 1496707
1662272 BI-BIP-OP Potential denial of service in BusinessObjects Enterprise
1675232 CRM-IC-CAM Unauthorized modification in BSP in CRM-IC-CAM
1675220 FI-AP Obsolete ITS services in FI-AR/AP
1675153 BW-BCT-PLA-RAP Unauthorized modification of displayed content in BW-BCT-PLA
1674905 SRM-EBP-CA-ATT Malicious modification of displayed SRM attachments
1674902 SLC-SUP SLC: Unauthorized modification in BSP application
1674713 SRM-EBP-BID Unauthorizd modification in ITS services
1674685 SRM-EBP-TEC-ITS Unauthorized modification in ITS-Services in SRM
1674616 CA-WUI-APF Unauthorized modification of content in transaction launcher
1674596 IS-M-AMC Unauthorized modification of displayed content in IS-M-AMC
1674366 CRM-ISE-WBF Unauthorized mod. of displayed content in BSP CRM_PS_SOA
Appendix: SAP Security Notes, May 2012
PRIORITY NOTE AREA DESCRIPTION
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1674219 CO-OM Unauthorized modification in ITS-Services of ISR
1674100 SRM-EBP-PRC Unauthorized modification in ITS-Service in SRM-EBP-PRC
1674027 SRM-CMT Unauthorized modification in ITS-Service in SRM-EBP-CAT
1673853 IS-HER-CM Unauthorized modification in BSP application in IS-HER-CM
1673790 IS-HER-CM Unauthorized modification in BSP application in IS-HER-CM
1673645 SRM-EBP-VE Unauthorized modification of displayed content in VE
1673549 IS-M-AMC Unauthorized modification of displayed content in IS-M-AMC
1675346 FI-AA Obsolete ITS services in FI-AA
1676123 SRM-EBP-INV Unauthorized modification of ITS in SRM-EBP-INV
1676070 PLM-PPM-PDN Unauthorized modification of displayed content PLM-PPM-PDN
1676045 SRM-EBP-APM Unauthorized modification of displayed content in APM
1675884 CRM-IC-EMS-RUL Unauthorized modification in BSP app in CRM-IC-EMS-RUL
1675809 PS-CLM Unauthorized modification in ITS-Service in PS-CLM
1675796 FIN-CGV-MIC Migration to new XSS-Library
1675795 PS-CON Unauthorized modification in ITS-Service in PS
1675775 FIN-SEM-CPM Unauthorized modification of displayed content in SEM-CPM
1675734 SRM-EBP-CAT Unauthorized modification in ITS-Services in BBP
1675605 EP-PIN-RTC Missing authorization check in RTC
1675533 BC-WD-CMP-FPM Missing authorization check in BC-WD-CMP-FPM
1675499 SRM-LA Unauthorized modification of displayed content in SRM-LA
1675484 CRM-IC-FRW Unauthorized modification in BSP in CRM-IC
1675411 CRM-IC-SCR Unauthorized modification in BSP in CRM-IC-SCR
1675396 SRM-EBP-CGS BBP_PM01 ITS service vulnerable to XSS attack
1675374 FI-AA Unauthorized modificatn of displayed content FI-AA (EA-APPL)
1675350 CRM-ANA-MKT-CLV Unauthorized modification in BSP appl. in CRM-ANA-MKT-CLV
1670098 CA-DMS Unauthorized modification of BSP in Webdocuments
1669048 CRM-ANA Unauthorized modification of BSP in CRM-ANA
1668728 SRM-EBP-PD Unauthorized modification of displayed content in SRM
Appendix: SAP Security Notes, May 2012
PRIORITY NOTE AREA DESCRIPTION
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
2
1668681 PPM-PFM Unauthorized modification of displayed content in PPM-PFM
1668569 IS-A-SWP Unauthorized modification in ITS-Services in SWP.
1666901 CRM-IC-FCA Unauthorized modification of BSP in CRM-IC-FCA
1665973 SRM-EBP-WFL Unauthorized modificat. of displayed content in SRM-EBP-WFL
1665930 FIN-BA Unauthorized modification of displayed content in FIN-BA
1665704 CRM-MD-BP-CCP Unauthorized modification of BSP in CRM-MD-BP-CCP
1665489 SRM-EBP-PRO Unauthorized modification of stored content in SRM-EBP-PRO
1665082 SRM-EBP-CA-SIG Unauthorized modification of BSP in SRM-EBP-CA-SIG
1665004 CRM-IPS-BTX-APL Unauthorized modification of BSPs in CRM Grantor Management
1664632 QM Unauthorized modification of ITS in QM
1664449 FIN-FSCM-BD Unauthorized modification of displayed content in FSCM BD
1663788 CRM-IU Unauthorized change of displayed content in CRM-IU
1670153 IS-A-SWP Unauthorized modification in ITS-Services in SWP.
1673177 IS-OIL-DS-SSR Unauthorized modification in ITS-Service in IS-OIL-DS-SSR
1673131 IS-ADEC-BOQ Unauthorized modification in ITS-Service in IS-ADEC-BOQ.
1673038 SRM-SUS SUS: Unauthorized modification in BSP application SRMSUS
1672819 PA-PA-SG Security: XSS vulnerability in SAP GUI for HTML
1672743 PPM-PRO Unauthorized modification of displayed content in PPM-PRO
1672695 PA-PA-AU Security: XSS vulnerability in SAP GUI for HTML
1672442 CRM-ANA-BOJ-UI Unauthorized modification of BSP in CRM-ANA-BOJ-UI
1672440 CRM-MKT-ML Unauthorized modification of BSP in CRM-MKT-ML
1672438 CRM-MKT-MPL Unauthorized modification of BSP in CRM-MKT-MPL
1672369CRM-MKT-MPL-TPM-TPO
Unauthorized modification of displayed content in TPO 100
1671695 CRM-MD-BP-PCU Unauthorized modification of BSP in CRM-MD-BP-PCU
1671334 PA-PA-IN Security: XSS vulnerability in SAP GUI for HTML
1671206 BC-SRV-BTF Unauthorized modification of displayed content in BTF-Editor
1671106 CRM-IPS-ICM-CMG Unauthorized modification of displayed content in ICM
1671087 CRM-MKT-MPL-CAL Unauthorized modification of display content in MKT Calendar
Appendix: SAP Security Notes, May 2012
PRIORITY NOTE AREA DESCRIPTION
2
2
2
2
3
3
3
3
3
3
4
1670438 SRM-EBP-ADM-USR Unauthorized modification of ITS in SRM-EBP-ADM-USR
1670220 IS-HER-CM Unauthorized modification of ITS in IS-HER-CM
1721539 BW-WHM Update 1 to security note 1656265
1723907 PLM-CFO Update 1 to security note 1613163
1655512 EPM-SA Missing Authorization check in OPMFND
1593247 PP-MES Missing authorization check in PP-MES
1642810 SV-SMG-SDD Code injection vulnerability in SV-SMG-SDD
1642179 CRM-MW-MBX HTTP verb tampering issue in Java MapBox
1629676 PE-LSO-LPO Security fix for BSP application HCM_LEARNING
1663799 BC-JAS-ADM-ADM Missing authorization check in NWA
1667388 BC-BMT-BRM-ENG Explicit Scope Declaration issues in BRMS-CORE
Appendix: SAP Security Notes, May 2012
Layer Seven Security
Webwww.layersevensecurity.comEmailinfo@layersevensecurity.comTelephone1 888 995 0993
Address Westbury Corporate CentreSuite 1012275 Upper Middle RoadOakville, Ontario L6H 0C3, Canada
Layer Seven Security specialize in SAP security. We serve customers worldwide to protect information assets against internal and external threats and comply with industry and statutory reporting requirements. The company fuses technical expertise with business acumen to deliver unparalleled audit, consulting and vulnerability assessment solutions targeted at managing risks associated with contemporary SAP systems.
Our consultants have an average of ten years of experience in field of SAP security and proficiency in regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCI DSS and SOX.
The company is privately owned and headquartered in Toronto, Canada.
© Copyright Layer Seven Security 2012 - All rights reserved.
No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security.
Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards.
This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.
SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.