Description
You want to increase the security level of your SAP system with regard to the execution of external commands.
The following situation applies if you do not use the solution described below:
The assumption is that a user has the following authorizations in an SAP system ABC:
– create external commands
– execute external commands
– create RFC destinations
In this case, this user can also execute external commands on other hosts:
a) that can be accessed from the system via TCP/IP, and
b) where an SAP RFC server program SAPXPG is located, and
c) where an SAP application server is running OR where an <ABC>adm operating system user exists.
This is even the case if the user has no authorizations for this host.
With the solution described below, you can specify a list of operating system commands that cannot be executed by SAPXPG.
Available fix and Supported packages
- SAP_BASIS | 46B | 46D
- SAP_BASIS | 610 | 640
Affected component
- BC-CCM-BTC-EXT
External and Logical Commands
CVSS
Score: 0
Exploit
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/686765
