Professional Documents
Culture Documents
Header Data
Symptom
An at t acker can di scover i nf or mat i on r el at i ng t o passwor ds who uses SAP Sol ut i on Manager .
Thi s i nf or mat i on coul d be used t o al l ow t he at t acker t o speci al i ze t hei r at t acks agai nst ser ver
i nf or mat i on and pr ocesses and t he SAP dat abase.
CVSS I nf or mat i on
CVSS Base Scor e: 4. 0
CVSS Base Vect or : AV: N/ AC: L/ AU: S/ C: P/ I : N/ A: N
SAP pr ovi des t hi s CVSS base scor e as an est i mat e of t he r i sk posed by t he i ssue r epor t ed i n t hi s
not e. Thi s est i mat e does not t ake i nt o account your own syst emconf i gur at i on or oper at i onal
envi r onment . I t i s not i nt ended t o r epl ace any r i sk assessment s you ar e advi sed t o conduct when
deci di ng on t he appl i cabi l i t y or pr i or i t y of t hi s SAP secur i t y not e. For mor e i nf or mat i on, see t he
FAQ sect i on at ht t ps: / / ser vi ce. sap. com/ secur i t ynot es/ .
Other Terms
I nf or mat i on di scl osur e, SAP Sol ut i on Manager , DB I nt er f ace, DB Admi ni st r at or
Reason and Prerequisites
I nf or mat i on such as t he l andscape conf i gur at i on dat a and dat abase user passwor ds can be di scover ed
usi ng SAP Sol ut i on Manager .
Thi s i nf or mat i on may be used by an at t acker t o f ur t her t ar get SAP dat abase.
Not e t hat t he user and passwor d f or dat abase connect i ons cr eat ed i n ol d ver si ons of SAP Sol ut i on
Manager ar e st or ed i n t abl e DBCON i nst ead of separ at i on of t he user and connect i on i nf or mat i on apar t
f r omt he passwor d. These i nf or mat i on i s kept and may have been r esi di ng i n your syst emf or ages.
Solution
The cor r ect i on pr ovi ded by t hi s not e mi gr at es dat abase connect i on i nf or mat i on cr eat ed by ol d
ver si ons of SAP Sol ut i on Manager i nt o t he new st or age model , i . e. separ at i on of user and connect i on
i nf or mat i on apar t f r ompasswor d.
The sol ut i on r equi r es a speci f i c ker nel ( di sp+wor k) pat ch l evel and ABAP suppor t package. Pl ease
appl y t he l evel s as ment i oned i n t hi s not e; f or ABAP you may appl y t he cor r ect i on i nst r uct i on
i nst ead.
Af t er t he i mpl ement at i on you have t o execut e r epor t RS_DBC_CLEANUP, whi ch per f or ms t he mi gr at i on.
For t he execut i on of t hi s r epor t t he aut hor i zat i on S_RZL_ADM wi t h ACTVT = ' 01' i s needed.
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| Manual Post - Implement.|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|VALID FOR |
|Software Component SAP_BASISSAP Basis compo...|
| Release 700SAPKB70004 - SAPKB70028 |
| Release 710Until SAPKB71016|
| Release 711SAPKB71101 - SAPKB71111 |
| Release 701Until SAPKB70113|
| Release 702SAPKB70201 - SAPKB70213 |
| Release 730SAPKB73001 - SAPKB73009 |
| Release 720SAPKB72002 - SAPKB72007 |
| Release 731SAPKB73101 - SAPKB73107 |
| Release 740Until SAPKB74002|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
Caut i on: You have t o per f or mt hi s manual post - i mpl ement at i on st ep manual l y and separ at el y i n each
syst emaf t er you have i mpor t ed t he Not e t o i mpl ement .
1823566 - Potential information disclosure relating to SolutionManager
Language English (Master)
Released On 14.05.2013 02:00:00
Release Status Released for Customer
Component BC-DB-DBI DB Independent Database Interface
SV-SMG SAP Solution Manager
Priority Correction with high priority
Category Program error
Externally Reported Yes
Other Components
Af t er t he i mpl ement at i on of t he code cor r ect i ons, execut e t he r epor t RS_DBC_CLEANUP, whi ch per f or ms
t he mi gr at i on.
Validity
Correction Instructions
Software Component From Rel. To Rel. And Subsequent
KRNL32NUC
7.00
7.01
7.10
7.20
7.20EXT
7.20EXT
7.21
7.21
7.21EXT
7.21EXT
KRNL32UC
7.00
7.01
7.10
7.20
7.20EXT
7.20EXT
7.21
7.21
7.21EXT
7.21EXT
KRNL64NUC
7.00
7.01
7.10
7.20
7.20EXT
7.20EXT
7.21
7.21
7.21EXT
7.21EXT
7.38
7.38
7.40
7.40
KRNL64UC
7.00
7.01
7.10
7.20
7.20EXT
7.20EXT
7.21
7.21
7.21EXT
7.21EXT
7.38
7.38
7.40
7.40
SAP_BASIS
700
702
710
730
731
731
740
740
KERNEL
7.00
7.01
7.10
7.11
7.20
7.21
7.38
7.38
7.40
7.40
Correction Instructions
Software Component Valid from Valid to Number
SAP_BASIS
700
700
1594878
SAP_BASIS
700
700
1237911
SAP_BASIS
700
700
1238072
SAP_BASIS
701
701
1594900
SAP_BASIS
701
701
1238021
SAP_BASIS
701
701
1238084
SAP_BASIS
702
702
1594902
SAP_BASIS
702
702
1238089
SAP_BASIS
702
702
1238022
SAP_BASIS
702
702
1200385
SAP_BASIS
710
710
1238023
SAP_BASIS
710
710
1200427
SAP_BASIS
710
710
1238091
SAP_BASIS
710
710
1594903
SAP_BASIS
711
711
1594904
SAP_BASIS
711
711
1238064
SAP_BASIS
711
711
1238086
SAP_BASIS
720
720
1238517
SAP_BASIS
720
720
1238066
SAP_BASIS
720
720
1594905
Causes - Side Effects
Support Packages & Patches
References
This document refers to:
SAP Notes
This document is referenced by:
SAP_BASIS
730
730
1238092
SAP_BASIS
730
730
1594906
SAP_BASIS
730
730
1238065
SAP_BASIS
730
730
1200474
SAP_BASIS
731
731
1238068
SAP_BASIS
731
731
1200475
SAP_BASIS
731
731
1238093
SAP_BASIS
740
740
1594907
SAP_BASIS
740
740
1238520
SAP_BASIS
740
740
1238094
SAP_BASIS
740
740
1238516
SAP_BASIS
740
740
1587015
SAP_BASIS
740
740
1238069
Notes / Patches corrected with this note
Note Reason From Version To Version Note Solution Version Support Package
1638280
0
0
1823566
0
The following SAP Notes correct this Note / Patch
Note Reason From Version To Version Note Solution Version Support Package
The table does not contain any entries
Support Packages
Software Component Release Support Package
SAP_BASIS
700
SAPKB70029
701
SAPKB70114
702
SAPKB70214
710
SAPKB71017
711
SAPKB71112
720
SAPKB72008
730
SAPKB73010
731
SAPKB73108
740
SAPKB74003
Support Package Patches
Software Component Support Package Patch Level
SAP KERNEL 7.20 32-BIT
SP417
000417
SAP KERNEL 7.20 32-BIT UNICODE
SP417
000417
SAP KERNEL 7.20 64-BIT
SP417
000417
SAP KERNEL 7.20 64-BIT UNICODE
SP417
000417
SAP KERNEL 7.21 32-BIT
SP110
000110
SAP KERNEL 7.21 32-BIT UNICODE
SP110
000110
SAP KERNEL 7.21 64-BIT
SP110
000110
SAP KERNEL 7.21 64-BIT UNICODE
SP110
000110
SAP KERNEL 7.21 EXT 32-BIT
SP110
000110
SAP KERNEL 7.21 EXT 32-BIT UC
SP110
000110
SAP KERNEL 7.21 EXT 64-BIT
SP110
000110
SAP KERNEL 7.21 EXT 64-BIT UC
SP110
000110
SAP KERNEL 7.38 64-BIT
SP014
000014
SAP KERNEL 7.38 64-BIT UNICODE
SP014
000014
1858472 SAP Security Patch Day 05/2013
SAP Notes (1)
1638280 Data records in the table DBCON (DB connection management)