- SAP Community
- Groups
- Interest Groups
- Application Development
- Discussions
- Priorities of SAP Security Notes and Coverage of R...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
Priorities of SAP Security Notes and Coverage of RSECNOTE
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2011 1:20 PM
Hi,
we are using the RSECNOTE in order to implement the most important SAP-Security Notes within out SAP-systems. However, recently I u2018ve come across the effect that there is a difference between the output of the RSECNOTE and the relevant Secutity-Note listed within the Marketplace.
Therefore I tried to find out how SAP determines the priorities of SAP-Security-Notes and how SAP decides which Security-Note is displayed by RSECNOTE. This led to the following result:
-
On the page https://websmp208.sap-ag.de/support FAQs for SAP-Patch-Day I found the following explaination of the priorites of SAP's Security-Pates:
How does SAP define the priority of the notes?
The priority of a security note is mainly determined by the so-called CVSS base score (Common Vulnerability Scoring Systems). We determine this score for every security issue. However, occasionally we adjust the priority when we feel that the priority is not adequate.
However, I looked up a few Security-Note but I didn't find any CVSS score value.
So obviously SAP translates the CVSS delivers a score value (between 0 and 10) somehow into the SAP-Security Note's priority displayed in the Marketplace (in the range of 1 to 6).
Within the sdn-page I found an answer to a question concerning SAP-Security-Notes stating that RSECNOTES contains all the relevant High Priority Security Note relevant for a certain system.
-
Does anyone know which Security Note are displayed by RSECNOTE?
Thanks! Uwe
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2011 5:11 PM
I u2018ve come across the effect that there is a difference between the output of the RSECNOTE and the relevant Secutity-Note listed within the Marketplace.
Yes and this is particularly true for the December notes.
You can find more information about this in some threads and blogs about it already.
Authoritive are the comments from SAP security guru Frank Buchholz to this blog --> http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/19151
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-18-2011 5:11 PM
I u2018ve come across the effect that there is a difference between the output of the RSECNOTE and the relevant Secutity-Note listed within the Marketplace.
Yes and this is particularly true for the December notes.
You can find more information about this in some threads and blogs about it already.
Authoritive are the comments from SAP security guru Frank Buchholz to this blog --> http://www.sdn.sap.com/irj/scn/weblogs?blog=/pub/wlg/19151
Cheers,
Julius
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2011 7:52 AM
Hi,
Today we started to include CVSS base scores and vectors within some security notes (those which solve issues reported to us by external researchers).
We also updated our FAQ (https://websmp108.sap-ag.de/securitynotes/) to answer some more questions about prioritisation and our use of CVSS.
Hope this helps, and stay tuned for more CVSS in security notes
Best,
Phil
Product Security Response Team
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-08-2011 2:38 PM
Hi Phil,
That sounds like a really good addition. I am really pleased with the direction that SAP is now taking in this area, long may it continue!
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
02-28-2012 6:10 AM
Hi Phil,
I wonder if you can help us further, since I just cannot get hold of this information; what are the CVSS Base Score + vector ratings which determines in which category are the SAP Security Notes placed ?
That is what constitutes a Hot News, High Priority, Medium Priority and Low Priority ? Is there a chart I can refer to ?
Any help is appreciated
Regards
Mushtaq Mahmood
Saudi Aramco
- SAP Managed Tags:
- Security
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
03-27-2012 4:54 PM
The CVSS value which is shown within the notes is composed by the Base Metric Group of CVSS only. In addition to that we consider some more aspects of the Temporal Metric Group and the Environmental Metric Groups of CVSS to calculate the note priority. Therefore there does not exist a simple chart to map CVSS value ranges to note priorities.
You can find the corresponding FAQ entry here.
Kind regards
Frank Buchholz
SAP Active Global Support - Security Services
- SAP Managed Tags:
- Security
