Description
UPDATE 2: May 14, 2019: All sections of text in this SAP Note and its validity have been revised. In addition, the CVSS information has been provided.
UPDATE 1: November 3, 2010: For details, see security note 1525125.
Since the SAP Gateway is an interface of the application server to external items (to other SAP systems, to external programs, and so on), security criteria must be fulfilled here. The security of the SAP Gateway (and thus the entire SAP system) is controlled via the files reg_info and sec_info (defined by the instance profile parameters gw/reg_info and gw/sec_info).
Notes 1069911 (reg_info) and 614971 (sec_info) describe the syntax for the lines that control the restart of external programs (sec_info) and the registration of external programs to the application server (reg_info). (Common problems in connection with registered programs and reg_info, see Note 1592493).
This note provides guidance about which entries can be the starting point for both files to increase the security of the system, to keep the maintenance effort to a minimum, and to be as transparent as possible at the same time.
Available fix and Supported packages
- SAP_BASIS | 46D | 46D
- SAP_BASIS | 640 | 640
- SAP_BASIS | 700 | 702
- SAP_BASIS | 710 | 730
- SAP_BASIS | 731 | 731
- SAP_BASIS | 740 | 740
- SAP_BASIS 702 | SAPKB70205 |
- SAP_BASIS 720 | SAPKB72004 |
- SAP_BASIS 730 | SAPKB73001 |
Affected component
- BC-CST-GW
Gateway/CPIC
CVSS
Score: 4.8
CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:L/I:L/A:L
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/1408081