Solved: security-related service notes

Pawan_Kesari · ‎04-08-2009

Did someone got any problem after implementing following notes?

I am going to implement these, just wanted to check if there is any known issues...

Note 1298160 - Security note: Forbidden program execution possible

Note 1168813 - Security note: Program DISPLAY_FUNC_INCLUDE

Note 1167258 - Security note: Program RS_REPAIR_SOURCE

Note 1304803 u2013 Security note: Changing a transport without authorization

Former Member · ‎04-08-2009

Hi we applied these on a dev system, tested them ok and found no issues.

We are deploying to all our other systems.

The one relating to RS_REPAIR_SOURCE is an absolute must. We were horrified when we tried this out before applying it - guess that's why SAP have been pushing these notes to everyone to consider!

Former Member · ‎04-08-2009

Hi we applied these on a dev system, tested them ok and found no issues.

We are deploying to all our other systems.

The one relating to RS_REPAIR_SOURCE is an absolute must. We were horrified when we tried this out before applying it - guess that's why SAP have been pushing these notes to everyone to consider!

Former Member · ‎04-08-2009

I would class the "forbidden program execution" one as the most critical and nearly impossible to detect misuse of as it exists only at runtime, but also the most difficult to misuse in the sense that the skills and knowledge required excludes a lot of folks. But I think there will be a lot of "script-kiddies" around for a while trying to use it... so it is best not to delay unnecessarily.

On the bright side, all of them have the capability of patching themselves...

Cheers,

Julius

Pawan_Kesari · ‎04-08-2009

Thanks for your response..

jtamoore · ‎04-17-2009

Hi,

We are in the process of implementing these as well, but I am having difficulty creating the test scripts since I'm not familiar with these programs. Can anyone provide some test steps to test these notes? Or did you work with an ABAPer to identify what needs to be tested? They won't allow us to move these changes to QA and production until a script has been completed.

Any help would be much appreciated.

Note 1298160 - Security note: Forbidden program execution possible - "You are able to execute undesired source code in the system using a special call of an RFC module." How is this tested?

Note 1168813 - Security Note: Program DISPLAY_FUNC_INCLUDE - test via SE37? Verify exactly what?

Note 1167258 - Security Note: Program RS_REPAIR_SOURCE - test via transactionSE80? In BW and R/3?

Note 1304803 - Security note: Changing a transport without authorization, per SAP, "Certain reports that do not have an authorization check can create or change transport requests and change the piece list of a request." .Which reports would this be? Obviously you can update a transport via SE10 or SE09, but

mvoros · ‎04-20-2009

Hi,

Note 1304803. SAP just forgot to get rid of some reports. After applying this note you should not be able to run reports TH_TKANL, TH_E070U and TH_E071. You should also delete report TH_E070E manually. The programming correction is pretty simple, it puts command EXIT at the beginning of the program. Hence you can call these reports but they will automatically exit.

Note 1168813 and 1167258. SAP forgot to put authorization checks in these programs. So before applying these notes an user without authorization to modify program is able to change programs using reports RS_REPAIR_SOURCE and DISPLAY_FUNC_INCLUDE. After applying these notes the user has to have authorizations to modify programs (objects S_TCODE and S_DEVELOP.)

Note 1298160: Before applying this note you should be able to call any routine (IV_COMMAND) from any program (IV_CONTEXT) using FM TMS_CI_START_SERVICE. I haven't tested it so I don't know values from for other parameters. After applying this note you should not be able to use this gap.

Cheers

Former Member · ‎04-20-2009

> They won't allow us to move these changes to QA and production until a script has been completed.

What you should check is that no standard and "normal" functionality of your own is impacted by the change.

These programs are questionable at the least and as Martin has stated should not have been included in the standard system anyway.

The notes are designed in such a way that you can implement them without disrupting standard functionality.

The only person (or program) to be bothered by the patches are those who misuse them, which is what they are destined for...

Cheers,

Julius

Former Member · ‎04-23-2009

Martin, thank you for the information. This helps a lot!

Former Member · ‎04-24-2009

Hi,

When i checked in SE38, our system doesn't have the reports RS_REPAIR_SOURCE and DISPLAY_FUNC_INCLUDE .

Does this mean, that note No.s : 1168813 and 1167258 are not rlelevant to us?

Thanks & Regards,

DVRK

mvoros · ‎04-24-2009

Hi,

I guess that you are not running NetWeaver. There is section Affected Releases in the OSS note. You can see that these notes are related to NW7.0 and NW7.1.

Cheers