Potential Information Disclosure Relating To SolutionManager PDF

SAP Security Note
Header Data
Symptom
An at t acker can di scover i nf or mat i on r el at i ng t o passwor ds who uses SAP Sol ut i on Manager .
Thi s i nf or mat i on coul d be used t o al l ow t he at t acker t o speci al i ze t hei r at t acks agai nst ser ver
i nf or mat i on and pr ocesses and t he SAP dat abase.
CVSS I nf or mat i on
CVSS Base Scor e: 4. 0
CVSS Base Vect or : AV: N/ AC: L/ AU: S/ C: P/ I : N/ A: N

SAP pr ovi des t hi s CVSS base scor e as an est i mat e of t he r i sk posed by t he i ssue r epor t ed i n t hi s
not e. Thi s est i mat e does not t ake i nt o account your own syst emconf i gur at i on or oper at i onal
envi r onment . I t i s not i nt ended t o r epl ace any r i sk assessment s you ar e advi sed t o conduct when
deci di ng on t he appl i cabi l i t y or pr i or i t y of t hi s SAP secur i t y not e. For mor e i nf or mat i on, see t he
FAQ sect i on at ht t ps: / / ser vi ce. sap. com/ secur i t ynot es/ .

Other Terms
I nf or mat i on di scl osur e, SAP Sol ut i on Manager , DB I nt er f ace, DB Admi ni st r at or

Reason and Prerequisites
I nf or mat i on such as t he l andscape conf i gur at i on dat a and dat abase user passwor ds can be di scover ed
usi ng SAP Sol ut i on Manager .
Thi s i nf or mat i on may be used by an at t acker t o f ur t her t ar get SAP dat abase.
Not e t hat t he user and passwor d f or dat abase connect i ons cr eat ed i n ol d ver si ons of SAP Sol ut i on
Manager ar e st or ed i n t abl e DBCON i nst ead of separ at i on of t he user and connect i on i nf or mat i on apar t
f r omt he passwor d. These i nf or mat i on i s kept and may have been r esi di ng i n your syst emf or ages.

Solution
The cor r ect i on pr ovi ded by t hi s not e mi gr at es dat abase connect i on i nf or mat i on cr eat ed by ol d
ver si ons of SAP Sol ut i on Manager i nt o t he new st or age model , i . e. separ at i on of user and connect i on
i nf or mat i on apar t f r ompasswor d.
The sol ut i on r equi r es a speci f i c ker nel ( di sp+wor k) pat ch l evel and ABAP suppor t package. Pl ease
appl y t he l evel s as ment i oned i n t hi s not e; f or ABAP you may appl y t he cor r ect i on i nst r uct i on
i nst ead.
Af t er t he i mpl ement at i on you have t o execut e r epor t RS_DBC_CLEANUP, whi ch per f or ms t he mi gr at i on.
For t he execut i on of t hi s r epor t t he aut hor i zat i on S_RZL_ADM wi t h ACTVT = ' 01' i s needed.

- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
| Manual Post - Implement.|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
|VALID FOR |
|Software Component SAP_BASISSAP Basis compo...|
| Release 700SAPKB70004 - SAPKB70028 |
| Release 710Until SAPKB71016|
- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -

Caut i on: You have t o per f or mt hi s manual post - i mpl ement at i on st ep manual l y and separ at el y i n each
syst emaf t er you have i mpor t ed t he Not e t o i mpl ement .

1823566 - Potential information disclosure relating to SolutionManager
Language English (Master)
Released On 14.05.2013 02:00:00
Release Status Released for Customer
Component BC-DB-DBI DB Independent Database Interface

SV-SMG SAP Solution Manager
Priority Correction with high priority
Category Program error
Externally Reported Yes
Other Components

Af t er t he i mpl ement at i on of t he code cor r ect i ons, execut e t he r epor t RS_DBC_CLEANUP, whi ch per f or ms
t he mi gr at i on.
Validity

Correction Instructions
Software Component From Rel. To Rel. And Subsequent

KRNL32NUC

7.00

7.01

7.10

7.20

7.20EXT

7.20EXT

7.21

7.21

7.21EXT

7.21EXT

KRNL32UC

7.00

7.01

7.10

7.20

7.20EXT

7.20EXT

7.21

7.21

7.21EXT

7.21EXT

KRNL64NUC

7.00

7.01

7.10

7.20

7.20EXT

7.20EXT

7.21

7.21

7.21EXT

7.21EXT

7.38

7.38

7.40

7.40

KRNL64UC

7.00

7.01

7.10

7.20

7.20EXT

7.20EXT

7.21

7.21

7.21EXT

7.21EXT

7.38

7.38

7.40

7.40

SAP_BASIS

700

702

710

730

731

731

740

740

KERNEL

7.00

7.01

7.10

7.11

7.20

7.21

7.38

7.38

7.40

7.40
Correction Instructions
Software Component Valid from Valid to Number

SAP_BASIS

700

700

1594878

SAP_BASIS

700

700

1237911

SAP_BASIS

700

700

1238072

SAP_BASIS

701

701

1594900

SAP_BASIS

701

701

1238021

SAP_BASIS

701

701

1238084

SAP_BASIS

702

702

1594902

SAP_BASIS

702

702

1238089

SAP_BASIS

702

702

1238022

SAP_BASIS

702

702

1200385

SAP_BASIS

710

710

1238023

SAP_BASIS

710

710

1200427

SAP_BASIS

710

710

1238091

SAP_BASIS

710

710

1594903

SAP_BASIS

711

711

1594904

SAP_BASIS

711

711

1238064

SAP_BASIS

711

711

1238086

SAP_BASIS

720

720

1238517

SAP_BASIS

720

720

1238066

SAP_BASIS

720

720

1594905
Causes - Side Effects

Support Packages & Patches

References
This document refers to:
SAP Notes
This document is referenced by:

SAP_BASIS

730

730

1238092

SAP_BASIS

730

730

1594906

SAP_BASIS

730

730

1238065

SAP_BASIS

730

730

1200474

SAP_BASIS

731

731

1238068

SAP_BASIS

731

731

1200475

SAP_BASIS

731

731

1238093

SAP_BASIS

740

740

1594907

SAP_BASIS

740

740

1238520

SAP_BASIS

740

740

1238094

SAP_BASIS

740

740

1238516

SAP_BASIS

740

740

1587015

SAP_BASIS

740

740

1238069
Notes / Patches corrected with this note
Note Reason From Version To Version Note Solution Version Support Package

1638280

0

0

1823566

0

The following SAP Notes correct this Note / Patch
Note Reason From Version To Version Note Solution Version Support Package
The table does not contain any entries
Support Packages
Software Component Release Support Package

SAP_BASIS

700

SAPKB70029

701

SAPKB70114

702

SAPKB70214

710

SAPKB71017

711

SAPKB71112

720

SAPKB72008

730

SAPKB73010

731

SAPKB73108

740

SAPKB74003
Support Package Patches
Software Component Support Package Patch Level

SAP KERNEL 7.20 32-BIT

SP417

000417

SAP KERNEL 7.20 32-BIT UNICODE

SP417

000417


SP417

000417


SP417

000417


SP110

000110


SP110

000110


SP110

000110


SP110

000110

SAP KERNEL 7.21 EXT 32-BIT

SP110

000110

SAP KERNEL 7.21 EXT 32-BIT UC

SP110

000110

SAP KERNEL 7.21 EXT 64-BIT

SP110

000110

SAP KERNEL 7.21 EXT 64-BIT UC

SP110

000110


SP014

000014


SP014

000014
1858472 SAP Security Patch Day 05/2013

SAP Notes (1)

1638280 Data records in the table DBCON (DB connection management)

Potential Information Disclosure Relating To SolutionManager PDF

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Potential Information Disclosure Relating To SolutionManager PDF

Uploaded by

Copyright:

Available Formats

SAP Security Note

You might also like