Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

Update 1 to SAP Security Note 1715734, SAP security note 2664504

Description

An authenticated user can use functions of dbpool, to which access should be restricted. This may result in an escalation of privileges.

This SAP Note supplements the corrections provided in SAP Security Note 1715734.

UPDATE 14th May 2019 : Solution provided by note 1715734 is partial. For complete solution implement this note. If you have not implemented 1715734, then implement only this note

Available fix and Supported packages

  • SAP-JEE | 6.40 | 6.40
  • SAP-JEECOR | 7.00 | 7.00
  • SAP-JEECOR | 6.40 | 6.40
  • SAP-JEECOR | 7.01 | 7.02
  • SERVERCORE | 7.10 | 7.10
  • SERVERCORE | 7.11 | 7.11
  • SERVERCORE | 7.20 | 7.20
  • SERVERCORE | 7.30 | 7.30
  • SERVERCORE | 7.31 | 7.31
  • SERVERCORE | 7.40 | 7.40
  • SERVERCORE | 7.50 | 7.50
  • J2EE ENGINE SERVERCORE 7.10 | SP012 | 000038
  • J2EE ENGINE SERVERCORE 7.10 | SP013 | 000032
  • J2EE ENGINE SERVERCORE 7.10 | SP014 | 000047
  • J2EE ENGINE SERVERCORE 7.10 | SP015 | 000031
  • J2EE ENGINE SERVERCORE 7.10 | SP016 | 000020
  • J2EE ENGINE SERVERCORE 7.10 | SP020 | 000022
  • J2EE ENGINE SERVERCORE 7.10 | SP021 | 000010
  • J2EE ENGINE SERVERCORE 7.10 | SP022 | 000005
  • J2EE ENGINE SERVERCORE 7.10 | SP023 | 000001
  • J2EE ENGINE SERVERCORE 7.10 | SP024 | 000000
  • J2EE ENGINE SERVERCORE 7.11 | SP007 | 000040
  • J2EE ENGINE SERVERCORE 7.11 | SP008 | 000047
  • J2EE ENGINE SERVERCORE 7.11 | SP009 | 000052
  • J2EE ENGINE SERVERCORE 7.11 | SP010 | 000039
  • J2EE ENGINE SERVERCORE 7.11 | SP011 | 000030
  • J2EE ENGINE SERVERCORE 7.11 | SP015 | 000022
  • J2EE ENGINE SERVERCORE 7.11 | SP016 | 000010
  • J2EE ENGINE SERVERCORE 7.11 | SP017 | 000007
  • J2EE ENGINE SERVERCORE 7.11 | SP018 | 000002
  • J2EE ENGINE SERVERCORE 7.11 | SP019 | 000000

Affected component

    BC-JAS-TRH
    Transactions and Resource Handling

CVSS

Score: 4.7
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2664504

TAGS

#Authorization
#authorization-check
#dbpool
#update
#update-note

Explore More

RedRays AI for ABAP Code Security

Empowering Secure, Efficient, and Compliant SAP ABAP Development—in Real Time and Without Data Retention In today’s rapidly evolving business landscape, organizations increasingly

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.