Skip links
Arpine Maghakyan

Arpine Maghakyan

Security Researcher of RedRays.

GRMG Ensuring Password Security in GRMG Customizing, SAP security note 759387


This note describes a security risk in connection with GRMG scenario customizing files and a work-around for ensuring complete security with respect to sensitive password data in GRMG scenario customizing files.

The CCMS GRMG (Generic Request and Message Generator) tests the availability of web components, such as NetWeaver 04 ABAP and J2EE engines, software components running on these engines, and SAP or non-SAP web services.

GRMG monitors ‘scenarios’ in GRMG terminology, where a scenario identifies the URL of the monitored web service and packages properties required for logon to the web service and for performing tests of functionality at the monitored service. Among these properties may be passwords, either for the logon to the web service or for logons to other components, such a shops, in the course of availability testing at the web service.

GRMG scenarios are defined in XML documents which are uploaded into the CCMS monitoring system, an ABAP engine at Release 6.40 (NW04) or Release 6.20.  GRMG scenario customizing typically is stored as an XML file, whereby the file may be created directly by the customer or may be generated by the SAP Visual Administrator (SAP J2EE Engine), the SAP Extended Configuration Manager (XCM, SAP CRM) or by some other tool.

GRMG customizing files are stored for upload into the monitoring ABAP system in a well-defined directory on the host at which a web service is running. It is with respect to GRMG customizing files in the GRMG upload directory that a security risk exists.

Access to the GRMG upload directory in which GRMG scenario customizing files are stored is naturally restricted.  No normal user should have logon access to the host on which an SAP engine or other production web service is running. And only certain administrive users (for Visual Admin, for XCM, the user under which a CCMS agent is running) should have access to the GRMG directory itself. Nevertheless, if passwords have been entered as properties in the GRMG customizing XML files, then these passwords are stored in unencrypted form in the GRMG customizing files in the GRMG upload directory. This is the security risk discussed in this note.

Available fix and Supported packages

  • SAP_BASIS | 620 | 640
  • SAP_BASIS | 700 | 700

Affected component

    CCMS Monitoring & Alerting


Score: 0


Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.




More to explorer

RedRays at Black Hat MEA 2023


SAP Security For All

RedRays Security Platform for Penetration testers and Bug hunters

The product package is specifically created for cyber security experts who have encountered SAP while participating in bug bounty programs.

RedRays Security Platform for SAP Consultants

The product package is designed for SAP consultants conducting security assessments of SAP ERP systems. We provide essential tools and resources to help professionals in this field conduct their work effectively.

RedRays Security Platform for Enterprises

The product package is specifically optimized to cater to the needs of both small/medium and large companies who are seeking to streamline the process of organizing a comprehensive security system for ERP systems.