Hot news note 3273480 was updated in March for SP026 of NetWeaver Application Server Java (AS Java) 7.50. The note deals with a critical SQL injection vulnerability that can be exploited by unauthenticated attackers that attach to an open interface exposed through JNDI by User Defined Search (UDS) of AS Java. The fix included in the note applies authorization checks to mitigate the vulnerability. The authorizations are assigned to the roles SAP_XI_ADMINISTRATOR_J2EE, SAP_XI_CONFIGURATOR_J2EE, SAP_XI_DEVELOPER_J2EE and NWA_READONLY.
Note 3252433 patches a broken authentication vulnerability impacting the LockingService in AS Java. The note removes public access and applies the required authentication and authorization checks for the service.
Hot news notes 3245526 and 3283438 address high-risk vulnerabilities in SAP BusinessObjects Business Intelligence (BOBJ). Note 3245526 fixes a code injection vulnerability in the Central Management Console (CMC). The note removes the ‘Use Impersonation’ option from the CMC and introduces authorization checks for scheduling program objects. Note 3283438 fixes an OS command execution vulnerability in the Adaptive Job Server. Workarounds are detailed in the note including unchecking the options Run scripts/binaries and Run Java programs in the CMC, and disabling the rexecd service.
Notes 3294595 and 3302162 patch directory traversal vulnerabilities in NetWeaver Application Server ABAP (AS ABAP). The vulnerabilities can be exploited to overwrite system files and trigger a denial of service.
SAP Focused Run supports real-time monitoring for high-volume SAP landscapes and customers with advanced requirements for system management, user and integration monitoring, and vulnerability management. Configuration and Security Analytics (CSA) in SAP Focused Run applies security policies to discover vulnerabilities in SAP systems. The policies read the contents of configuration, software and user-related stores in the Configuration and Change Database (CCDB). The CCDB stores are refreshed daily using the Simple Diagnostics Agent (SDA), installed in SAP systems monitored by Focused Run.
This article explores capabilities in CSA for tuning security checks using exclusions, configuring alerts for critical vulnerabilities, and investigating security-related changes reported by CSA.
Exclusions can be applied to exclude specific checks in security policies. In the example below, we have applied an exclusion to exclude a check that validates the status of the standard DDIC user. The first step is to open to CSA in the Advanced Configuration Monitoring workgroup.
The next step is to select the relevant policy and select Exemption for Policies.
Select Create to add the exemption. Select the Check ID based on the available checks in the policy and add an Exception ID and Description.
You can add a date range if the exclusion is temporary and should be automatically removed after a target date. Once saved, the check will be excluded from the policy. Exemptions can be maintained and deleted after they are applied.
Alerts for systems that fail checks in security policies can be configured using Configuration Validation Alert Management.
Select Create and add an Alert ID and Description. The Alert Source should be set to Configuration Validation – Policy. Select the Policy and maintain options for Aggregation Level, Scope, Frequency and Severity. Select ON and click on Save to activate the alert.
Alerts can be configured for specific systems or groups based on Customer ID, Data Center, IT Admin Role, Lifecyle Status, or Networks.
IT Admin Role can be used to apply alerts for systems based on environments.
Email and SMS options for alert notifications can be maintained using Outbound Variants.
Alerts can be investigated and managed using Alert Management. In the example below, we can see the alert configured in CSA for changes to standard users. Alerts in Alert Management be integrated with SIEM and service desk solutions. For detailed information, refer to the SAP Help Portal.
Changes in SAP systems are captured and logged in CSA. This includes areas such as parameter settings, RFC destinations, ICF services, and user authorizations, profiles, roles, and transactions. The details of the changes can be viewed using the option to display change of configuration items. Select a time frame for changes using Time Frame Selection.
You can also maintain a custom time frame.
Select a system to view to view a summary of the changes.
Select a store to view the details of changes. In the example below, we can see the details of users that were assigned the SAP_ALL profile in a system over the last three months.
The details can be filtered, sorted and exported to Excel.
The Cybersecurity Extension for SAP integrates with CSA in Focused Run to apply thousands of security checks for known vulnerabilities in SAP solutions. It also integrates with System Monitoring in Focused Run to detect and alert for more than 600 indicators of compromise in SAP event logs. To learn how you can protect your SAP systems from cyber threats using the Cybersecurity Extension for SAP, contact Layer Seven Security.
Hot news note 3273480 was updated in February for a critical vulnerability that could enable attackers to compromise installations of NetWeaver Application Server Java (AS Java) via an open JNDI interface exposed through User Defined Search (UDS). The updates include corrections for side effects caused by the original fix for the vulnerability that implemented authorization checks for affected public methods. Note 3301366 corrects side effects for alerting and monitoring after implementing note 3273480. Note 3284781 provides instructions to correct side effects observed for specific services used by Process Integration (PI).
Note 3285757 recommends upgrading the SAP Host Agent to the latest version 7.22 PL59 in order to patch a high priority privilege escalation vulnerability. Attackers can exploit the vulnerability to execute operating system commands using administrative privileges through webservice requests.
Note 3256787 includes a fix for an unrestricted file upload vulnerability in SAP BusinessObjects Business Intelligence (BOBJ). The note also includes instructions for a workaround that involves applying a whitelist for file format types using the property upload.file.allowed.formats in the global.properties file.
Other important notes include 3263135 and 3271091 for information disclosure and privilege escalation vulnerabilities in BOBJ and SAP Business Planning and Consolidation (BPC), respectively.
Maintenance Planner is a cloud solution from SAP that supports the planning and administration of systems in SAP landscapes. It is the successor to Maintenance Optimizer and Landscape Planner and consolidates and simplifies tasks such as system installation, updates, upgrades and conversions.
Maintenance Planner is hosted on the SAP Support Portal. It maintains an inventory of SAP systems in customer landscapes. The inventory can be viewed using the Explore Systems tile.
Landscapes can also be analyzed using graphical topologies in Hybrid Landscape Visualization.
Explore Systems provides detailed software information for each system such as product versions, components and stack levels, as well as tracks and dependencies. Tracks are used to group related systems and streamline maintenance.
Maintenance Planner identifies products that are out of maintenance, third-party add-ons installed in SAP systems, and inconsistencies between displayed software components and installed components in systems. The software information is sourced by Maintenance Planner directly from the Landscape Management Landscape Database (LMDB) in SAP Solution Manager. The information is synchronized with the LMDB every day via the SAP-OSS connection between Solution Manager and SAP Support.
Upgrade Dependency Analyzer (UDA) is integrated with Maintenance Planner to help identify the impact of maintenance tasks in dependant systems. Maintenance Planner identifies and downloads the required software packages for planned upgrades or new systems. It also supports conversion tasks for migration from SAP ERP to S/4HANA. Finally, Maintenance Planner includes guided workflows to discover and integrate SAP cloud solutions.
Maintenance Planner calculates and displays recommended notes for systems in each landscape. The notes are analyzed and managed using the View Recommended Notes tile. It supports searching, filtering, grouping, sorting, and exporting of results. The Calculate Notes option displays relevant notes for selected systems. Notes are grouped by category including Security, Hot News, Performance and Legal Change. You can select a note from the available categories to view the details. CVE, CVSS and vector information is provided for SAP Security Notes.
Maintenance Planner can track the implementation lifecycle of notes using the Processing Status option. The following values are supported for the option:
Transferring: Note is transferred for implementation In Progress: Note implementation is in progress Not Relevant: Invalid or irrelevant note for the system
A Comments field is also included for users to provide additional information related to the implementation status of each note.
Maintenance Planner provides an alternative to System Recommendations for discovering and managing required notes in SAP systems. However, unlike System Recommendations, Maintenance Planner does not identify SAP HANA, Web Dispatcher and platform-related notes. Also, it does not integrate with Change Request Management (ChaRM), Usage and Procedure Logging (UPL), ABAP Call Monitor (SCMON), and Solution Documentation for the full lifecycle management of notes and automated change impact analysis to support test planning.
Hot news note 3089413 patches a critical capture-replay vulnerability that can lead to authentication bypass in SAP NetWeaver Application Server ABAP (AS ABAP). The vulnerability is caused by the failure to use unique hashes for system identification. Note 3089413 includes corrections for the SAP kernel and the SAP Basis component. The corrections must be applied in both trusting and trusted systems.
Hot news note 3268093 deals with a broken authentication vulnerability in SAP NetWeaver Application Server Java (AS Java). An unauthenticated attacker can attach to an open interface and exploit an open naming and directory API to access services which can be used to perform unauthorized operations affecting users and data. This could allow the attacker to gain full read access to user data, modify data and disrupt the availability of services within the system. The correction removes public access to basicadmin and adminadapter services and introduces authentication and authorization for the relevant objects. The required permissions are automatically assigned to the Administrator, NWA_SUPERADMIN, and NWA_READONLY roles by the corrections.
Note 3243924 patches a high-risk insecure deserialization of untrusted data vulnerability in SAP BusinessObjects Business Intelligence (BOBJ). Authenticated attackers with minimal privileges can intercept and modify serialized objects in the Central Management Console and BI LaunchPad of BOBJ. Note 3243924 restricts deserialization to specific internal classes. The note also includes instructions for a workaround that involves removing the vulnerable code in specific files.
Other important notes include 3262810 and 3275391 for code injection and SQL injection vulnerabilities in the Analysis Edition for OLAP in BOBJ and SAP Business Planning and Consolidation, respectively.
SAP Focused Run provides real-time application monitoring, alerting and analytics for large-scale SAP landscapes and hosting providers. It leverages SAP HANA to support centralized monitoring for up to thousands of systems in high-volume environments. Focused Run is intended to complement Solution Manager in SAP landscapes by substituting configuration, integration, system, and user monitoring scenarios from SolMan. Solution Manager is required for all other scenarios including change management, patch management, custom code management, business process monitoring, service management, and test management.
This article explores the alerting capabilities of SAP Focused Run using the workgroups Advanced System Management and Advanced Event & Alert Management.
Similar to SAP Solution Manager, Focused Run includes preconfigured monitoring templates and data providers for SAP platforms and solutions including ABAP, HANA, and Java. It also includes database and host templates for monitoring SAP infrastructure. The standard metrics and alerts within the SAP-delivered templates include content for monitoring the availability and performance of SAP applications, components, agents, interfaces and infrastructure.
The Cybersecurity Extension for SAP extends the coverage of SAP Focused Run to include security monitoring. The SAP-certified addon provides more than 500 metrics and alerts for detecting indicators of compromise in SAP logs. This includes ABAP logs such as the Security Audit Log, Gateway Server Log, HTTP Log, System Log, Transaction Log, Read Access Log, and Change Documents. It also includes support for the Audit Log in HANA platforms. The current version of the Cybersecurity Extension for SAP supports ABAP and HANA platforms. Future releases are expected to support Java systems and operating system logs in Linux hosts.
Alerts can be accessed using Alert Management in the Advanced Event & Alert Management workgroup.
Focused Run supports the grouping of systems into Customer IDs. This can be used to segment results for business units. Alert Management will summarize the results for the Customer IDs selected during the initial selection screen.
You can select the list view to display the current alerts.
You can open and view the details of alerts in the list. The example below is an alert triggered in a managed system for changes performed for the roles assigned to the standard SAP* user.
The Metrics tab includes information related to underlying event including the event timestamp, source IP, target IP, and user information. This information can be automatically integrated with Security Information Event Management (SIEM) systems. Notifications can be also sent for alerts through email or SMS using the Send Notification option in the Actions menu.
Alert Reporting in Alert Management provides a dashboard for monitoring alerts by date, category and systems.
Alerts can be also managed using System Monitoring in the Advanced System Management workgroup.
System Monitoring includes an Alert Ticker in the right pane that displays the latest alerts in real time.
The application also includes a hierarchal view for displaying alerts by managed object type including systems, application servers, instances, databases and hosts.
The Cybersecurity Extension for SAP provides an alternative to SAP Code Vulnerability Analyzer (CVA) for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of SAP CVA. This guide will help you plan for the transition from SAP CVA to the Cybersecurity Extension for SAP. Once you have transitioned from SAP CVA, you can remove the SAP CVA consoles and sensors from your SAP landscape, as well as the SAP CVA users and addons in your SAP systems.
Unlike SAP CVA, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.
The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from SAP CVA to the Cybersecurity Extension for SAP.
Check central system
The Cybersecurity Extension for SAP applies code vulnerability checks using the ABAP Test Cockpit (ATC). A central check system is recommended for the ATC. The central system performs code analysis for remote systems. Please refer to the SAP guidelines for configuring a central system for your landscape. The latest version of the SAP Basis component is recommended for the central system to analyze custom code in systems with lower versions.
The Cybersecurity Extension for SAP provides an alternative to SAP Code Vulnerability Analyzer (CVA) for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of SAP CVA. This guide will help you plan for the transition from SAP CVA to the Cybersecurity Extension for SAP. Once you have transitioned from SAP CVA, you can remove the SAP CVA consoles and sensors from your SAP landscape, as well as the SAP CVA users and addons in your SAP systems.
Unlike SAP CVA, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.
The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from SAP CVA to the Cybersecurity Extension for SAP.
Check target system software versions
The Cybersecurity Extension for SAP supports monitoring for ABAP, HANA and Java systems, as well as the SAProuter and Web Dispatcher. Please confirm the target systems meet the minimum requirements below. All versions of the SAProuter and Web Dispatcher are supported.
ABAP: SAP Basis 7.00, SP00 HANA: Version 1.0, SP08 Java: SAP NetWeaver 7.0 Enhancement Package 1 (7.01)
The Cybersecurity Extension for SAP provides an alternative to SAP Code Vulnerability Analyzer (CVA) for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of SAP CVA. This guide will help you plan for the transition from SAP CVA to the Cybersecurity Extension for SAP. Once you have transitioned from SAP CVA, you can remove the SAP CVA consoles and sensors from your SAP landscape, as well as the SAP CVA users and addons in your SAP systems.
Unlike SAP CVA, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.
The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from SAP CVA to the Cybersecurity Extension for SAP.
Check System Monitoring
The Cybersecurity Extension for SAP requires the completion of System Monitoring in Application Operations. Execute transaction SOLMAN_SETUP or navigate to work center SAP Solution Manager Configuration – Configuration (All Scenarios). Click on System Monitoring in Application Operations. Confirm the status of all steps in System Monitoring is green (completed). Follow the guided procedures for System Monitoring to perform steps that are red or yellow (incomplete).
The Cybersecurity Extension for SAP provides an alternative to SAP Code Vulnerability Analyzer (CVA) for SAP vulnerability management, threat detection, and custom code security. The Cybersecurity Extension for SAP is developed by Layer Seven Security. Layer7 is an SAP partner and competitor of SAP CVA. This guide will help you plan for the transition from SAP CVA to the Cybersecurity Extension for SAP. Once you have transitioned from SAP CVA, you can remove the SAP CVA consoles and sensors from your SAP landscape, as well as the SAP CVA users and addons in your SAP systems.
Unlike SAP CVA, the Cybersecurity Extension for SAP is an addon for SAP Solution Manager. Solution Manager is a monitoring and diagnostics platform widely used by SAP customers for application lifecycle management. Over 12,000 SAP customers worldwide are actively using Solution Manager to manage their SAP systems. Usage rights for Solution Manager are included in SAP support.
The Cybersecurity Extension for SAP requires the standard setup of Solution Manager. This guide will help you review your Solution Manager setup and prepare your platform to ensure a smooth transition from SAP CVA to the Cybersecurity Extension for SAP.
Check Managed System Configuration
The Cybersecurity Extension for SAP requires the completion of Managed System Configuration for each target system. Execute transaction SOLMAN_SETUP or navigate to work center SAP Solution Manager Configuration – Configuration (All Scenarios). Click on Managed System Configuration in Cross Scenario Configuration. Highlight a relevant system in the Technical Systems tab and select Configure System – Full Configuration. Confirm the status of all steps in Managed System Configuration is green (completed). Follow the guided procedures for Managed System Configuration to perform steps that are red or yellow (incomplete).
The following Automatic and Manual Activities are not required in Finalize Configuration:
Setup Single Sign-On Activate E2E Trace Upload Service Introscope Host Adaptor Apply Settings for EWA Monitoring Byte Code Adaptor Installation (Java Systems) Enable Remote R/3 Connection
The status of the steps Maintain Users, Finalize Configuration and Check Configuration can be yellow.
