Skip links
Vahagn Vardanian

Vahagn Vardanian

Co-founder and CTO of RedRays

SAP Internet Communication Framework fails to validate HTTP_WHITELIST, SAP security note 2189853

Description

UPDATE 14th July 2020 : This note has been re-released with the updated ‘Correction instruction’ information.

UPDATE 23rd July 2019: This note has been re-released with updated ‘Correction instruction’ information for the release 710. Also CVSS details were added.

SAP Internet Communication Framework fails for public services to validate access control list (ACL) information of table HTTP_WHITELIST and to logout user correctly.

Available fix and Supported packages

  • SAP_BASIS | 700 | 702
  • SAP_BASIS | 710 | 711
  • SAP_BASIS | 730 | 730
  • SAP_BASIS | 731 | 731
  • SAP_BASIS | 740 | 740
  • SAP_BASIS 710 | SAPKB71020 |
  • SAP_BASIS 711 | SAPKB71115 |
  • SAP_BASIS 700 | SAPKB70033 |
  • SAP_BASIS 701 | SAPKB70118 |
  • SAP_BASIS 702 | SAPKB70218 |
  • SAP_BASIS 730 | SAPKB73014 |
  • SAP_BASIS 731 | SAPKB73117 |
  • SAP_BASIS 740 | SAPKB74013 |

Affected component

    BC-MID-ICF
    Internet Communication Framework

CVSS

Score: 5.0
CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:L/A:L

PoC

Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.

URL

https://launchpad.support.sap.com/#/notes/2189853

TAGS

#SAP-Internet-Communication-Framework
#ICF
#ACL
#White-List
#table-HTTP_WHITELIST
IF_HTTP_SERVER&126-LOGOFF
Public-ICF-Service

More to explorer

Special offer for SAP Security Udemy course!

$ 9.99

Join “SAP Security Core Concepts and Security Administration” which is part of the Blackhat course series.