June 2017 - Layer Seven Security

A First Look at Support Pack 5 of SAP Solution Manager 7.2

Layer Seven Security on June 26, 2017

Released earlier this month, Support Pack 5 for SAP Solution Manager 7.2 delivers important enhancements in several key areas. This includes support for exporting and importing solution documentation between systems, improved SAP-delivered solution blueprints, and an enhanced graphical editor for mapping business processes. SP05 also introduces a new Fiori App for Quality Gate Management in ChaRM. There are also new Fiori Apps for Data Volume Management to support data aging and identifying unused data.

For security, SP05 introduces several notable changes. Solution Manager Configuration and Administration now includes a tile for Security-Relevant Activities. This function can be used to check the status of authentication, connection, and user related activities required for the effective setup and operation of Solution Manager.

Solution Manager Configuration and Administration also includes a new scenario for setting up and tracking usage logging. Areas such as System Recommendations analyze usage data to identify the impact of changes and corrections on ABAP objects.

SP05 also introduces several functional improvements for System Recommendations. The available filters in System Recommendations now include a selection field for Note Number. This can be used to jump directly to specific Notes.

System Recommendations also includes a new tool for side-effect Notes. The tool was originally introduced in the SAP Marketplace in 2003 and enables users to identify interdependencies between SAP Notes and guard against the known side-effects of applying certain SAP Notes. Note 651948 discusses side-effects Notes.

Interface and Connection Monitoring (ICMon) includes an improved interface to drill down from monitoring overviews and topologies to the details of each interface channel. Users can also now assign severity ratings for ICMon alerts. SP05 widens the coverage for supported interface channels to include the SAP Application Interface Framework, SAP Information Lifecycle Management (SAP ILM) and Ariba Network. It also provides additional metrics for monitoring existing channels such as web services.

The Fiori launchpad for Solution Manager SP05 includes new tiles for the Guided Procedure Framework. The Guided Procedure Catalog can be used to browse available guided procedures. The Guided Procedure Usage tile can be used to access the execution logs for guided procedures. Available filters have also been improved to support selection for guided procedures based on technical systems and hosts.

Full details of the changes introduced with SAP Solution Manager Support Pack 05 are available at the SAP Help Portal.

SAP Security Notes, May 2017

Zarah Basilio on June 7, 2017

Note 2380277 addresses a high priority memory corruption vulnerability in the GUI control component of the Internet Graphics Server (IGS). GUI control is a self-contained component of the presentation server in ABAP systems. The Note contains corrections for logical errors in memory management within the component. The errors could be exploited by attackers to extract sensitive information or perform a denial of service by provoking a buffer overflow or underflow. This is caused by specially crafted commands or objects that force GUI Control to perform out-of-bounds memory reads. For detailed information, refer to CVE-2015-8540.

Note 2462813 provides instructions for securing dynamic selections in SQL queries using the function module FREE_SELECTIONS_RANGE_2_WHERE. The instructions are intended to mitigate SQL injection attacks against the Revenue Accounting application in SAP ERP. Successful SQL injection exploits can lead attackers to perform administrative database operations including reading, modifying and deleting sensitive data.

Note 2433777 deals with authorization errors in the ABAP File Interface used to edit files stored in SAP application servers. The Interface does not effectively perform authority checks for file or path names containing specific control characters. This could enable attackers to access restricted files. As a result, the corrections packaged with the Note disable the ABAP statements OPEN DATASET and DELETE DATASET for file names with control characters.

Note 2441560 removes a denial of service vulnerability in SAPCAR that could be exploited by attackers to gain root access to servers processing prepared archives. SAPCAR is a utility that is used to compress and decompress files delivered by SAP. SAPCAR 7.21 should be updated to patch level 816 or higher to address the vulnerability.