Subsidiary smarterSec takes part in SAP Security Patchday
SAP closes serious security gaps as part of the SAP Security Patchday
April´s SAP Security Patchday is adding 20 item to the worklist of the security responsible, including another security patch based on research delivered by smarterSec. It is notable that this month covers several really critical security issues which were evaluated with a CVSS score of 7.7 or higher.
Of course, corrections rated with a “full score” need some detailed checks – this month we must deal with two notes that were rated with a CVSS of 9.9 (SAP note 3587115 and SAP note 3581961). It turns out that both are dealing with the same issue: an ABAP Command Injection, that allows attackers to easily manipulate the source code of the system and doing so putting confidentiality, integrity and availability of the system at risk. The corresponding correction instructions basically retires the functionality by closing down the containing RFC function module completely.
We strongly encourages all SAP customers to check if their systems contain the described vulnerabilities and implement the SAP security notes as soon as possible.
Please note that the RFC function module in scope is part of the SAP Landscape Transformation (LT) analysis program. That means: unless you are currently using this tool e.g. in migration or conversion projects, it is very unlikely that the function is use at all. Consequently, you should be able to implement the note and therewith shut down the object completely.
Our subsidiary smarterSec will be happy to advise you on the topic of SAP Security & Compliance.