SAP Security Notes, January 2018
Note 2580634 provides instructions for removing a malicious file insertion vulnerability in the Process Control and Risk Management applications of SAP Governance, Risk and Compliance (GRC). The vulnerability could be exploited to upload malicious scripts or other forms of malware to SAP servers. The note includes manual instructions for implementing package GRFN_DOCUMENT_ WT_CHECK of the BAdI GRFN_DOCUMENT. This will activate a positive whitelist in table GRFNDOCUMENTWT to control permitted file extensions and mime types.
Note 2408073 provides updated instructions for the handling of digitally signed notes in the Note Assistant. Note 2518518 should be implemented before Note 2408073 to install new objects required to support Notes with digital signatures. The Notes will update the Note Assistant tool to verify digital signatures using the SAPCAR utility. SAPCAR must version 7.20, patch level 2 or higher. The Note Assistant tool will process ZIP files containing Notes downloaded from the SAP Support Portal and log the results of digital signature checks. Notes that fail the digital signature check will be logged in the Application Log (transaction SLG1) and read by the Notes Assistant using the authorization object S_APPL_LOG. For further information, refer to 2537133 – FAQ – Digitally Signed SAP Notes and the Digital Signature User Guide referenced in Note 2408073. Note 2507934 provides instructions for adjusting role SAP_BPO_CONFIG in SAP Solution Manager 7.2. The instructions restrict authorizations for table maintenance in the role to BPO-relevant tables belonging to the authorizataion groups SS, LMDB, PIMA, SA, IWAD, and SC.