SAP Security Notes, May 2019

Note 1408081 was updated in May in response to the recent 10KBLAZE exploits targeting vulnerabilities in the gateway server. The note includes revised instructions for maintaining access control lists in the gateway security files reg_info and sec_info for different kernel versions. The access control lists should be configured to control external server registrations and program starts. The note recommends restricting registrations and starts to within the same system or SID cluster using the options ‘local’ and ‘internal’. However, the updates do not mention the risk that the security mechanisms applied by the recommended entries could be bypassed by attackers that register as internal servers with the message server. Therefore, it is critical to maintain access control lists for the message server to support the secure configuration of the gateway server.

For additional security against 10KBLAZE exploits, a separate port should be configured for internal message server communications, external monitor commands should be rejected, communications between kernel components should be encrypted, and the bit mask value for the profile parameter gw/reg_no_con_info should be set to a value of 255.

Note 2756453 provides manual instructions and automated corrections for removing a high-risk cross-site scripting vulnerability in S/4HANA.

Note 2784307 deals with another high-risk vulnerability in the REST Interface that could be exploited to escalate privileges in SAP Identity Management.

 

Leave a Reply

Your email address will not be published. Required fields are marked *