{"id":671,"date":"2013-08-03T08:18:35","date_gmt":"2013-08-03T16:18:35","guid":{"rendered":"http:\/\/davatec.com\/corp\/?p=671"},"modified":"2013-08-03T08:23:50","modified_gmt":"2013-08-03T16:23:50","slug":"sap-security-notes-june-2013","status":"publish","type":"post","link":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/","title":{"rendered":"SAP Security Notes July 2013"},"content":{"rendered":"<p style=\"text-align: justify;\">Welcome to our August 2013 SAP Security Newsletter. This is our second Newsletter this year and feedback has been great.<\/p>\n<p style=\"text-align: justify;\">In July 2013, SAP released 34 security related OSS notes. Below the statistics:<\/p>\n<ul style=\"text-align: justify;\">\n<li>8 Notes are not rated with a CVSS code<\/li>\n<li>16 Notes are rated with a CVSS code between 3.5 to 5.0<\/li>\n<li>10 Notes are rated with a CVSS code of 6, none above<\/li>\n<\/ul>\n<p style=\"text-align: justify;\"><a href=\"http:\/\/home4sap.com\/Blog\/wp-content\/uploads\/2013\/08\/image001.png\"><img loading=\"lazy\" decoding=\"async\" alt=\"SAP Security Notes 07-2013\" src=\"http:\/\/home4sap.com\/Blog\/wp-content\/uploads\/2013\/08\/image001.png\" width=\"655\" height=\"634\" \/><\/a><\/p>\n<p style=\"text-align: justify;\">Below a few highlights from the July 2013 Security Notes. Keep up the good job and make sure your SAP systems are safe!<\/p>\n<table width=\"611\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"bottom\" nowrap=\"nowrap\" width=\"79\"><b>1823687<\/b><\/td>\n<td valign=\"bottom\" nowrap=\"nowrap\" width=\"125\"><b>BC-SEC-LGN<\/b><\/td>\n<td valign=\"bottom\" nowrap=\"nowrap\" width=\"407\"><b>Potential information disclosure relating to user existence<\/b><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: justify;\">Information such as the existence of users can be discovered using a failed logon attempt. Solution: Configure the ABAP server to reply all logon attempts which fail due to invalid or not validated credentials with an error message not disclosing any details regarding the failure reason. This information may be used by an attacker to further target system access by password logon.<\/p>\n<table width=\"611\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"bottom\" nowrap=\"nowrap\" width=\"79\"><b>1870605<\/b><\/td>\n<td valign=\"bottom\" nowrap=\"nowrap\" width=\"125\"><b>BC-DB-HDB<\/b><\/td>\n<td valign=\"bottom\" nowrap=\"nowrap\" width=\"407\"><b>Privilege escalation in SAP HANA<\/b><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: justify;\">The vulnerability is caused by a security problem in the program&#8217;s source code. An attacker who has specific information can log on to the system with high system privileges without having been assigned legitimate access by the system administrator(s).<\/p>\n<table width=\"611\" border=\"0\" cellspacing=\"0\" cellpadding=\"0\">\n<tbody>\n<tr>\n<td valign=\"bottom\" nowrap=\"nowrap\" width=\"79\"><b>1798286<\/b><\/td>\n<td valign=\"bottom\" nowrap=\"nowrap\" width=\"125\"><b>SCM-BAS-EHS<\/b><\/td>\n<td valign=\"bottom\" nowrap=\"nowrap\" width=\"407\"><b>Potential modif.\/disclosure of persisted data in SCM<\/b><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p style=\"text-align: justify;\">The problem is caused by an SQL injection vulnerability. The code composes an SQL statement that contains strings that can be altered by an attacker. The manipulated SQL statement can then be used to retrieve additional data from the database, or to modify this data.<\/p>\n<h4 style=\"text-align: justify;\">Revisiting old SAP Security notes!<\/h4>\n<p style=\"text-align: justify;\">Please read our blog about one of our most visited posts to prevent users to make changes to tables, such as master &amp; transaction tables with SE16N! Have you implemented SAP Notes <strong>1420281, 1473881<\/strong> and <strong>1446530<\/strong> to mention a few? We have seen that a number of clients still have not implemented all notes, especially the one that allows to change\/view data across clients with UASE16N! If you think your HR data is save by having the data on its own client, think again!<\/p>\n<p style=\"text-align: justify;\"><span style=\"color: #993300;\"><a title=\"Permalink to Edit SAP tables: Your SAP Security Admin\u2019s nightmare: &amp;sap_edit\" href=\"http:\/\/home4sap.com\/Blog\/2010\/11\/edit-sap-tables-you-sap-security-admins-nightmare\/\"><span style=\"color: #993300;\">Edit SAP tables: Your SAP Security Admin\u2019s nightmare: &amp;sap_edit<\/span><\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Welcome to our August 2013 SAP Security Newsletter. This is our second Newsletter this year and feedback has been great. In July 2013, SAP released 34 security related OSS notes. Below the statistics: 8 Notes are not rated with a <a class=\"more-link\" href=\"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/\">Continue reading <span class=\"screen-reader-text\">  SAP Security Notes July 2013<\/span><span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6,36],"tags":[],"class_list":["post-671","post","type-post","status-publish","format-standard","hentry","category-sap-news","category-security-advisory"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.5 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>SAP Security Notes July 2013 -<\/title>\n<meta name=\"description\" content=\"In July 2013, SAP released 34 security related OSS notes - visit us to learn more.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"SAP Security Notes July 2013 -\" \/>\n<meta property=\"og:description\" content=\"In July 2013, SAP released 34 security related OSS notes - visit us to learn more.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/\" \/>\n<meta property=\"article:published_time\" content=\"2013-08-03T16:18:35+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2013-08-03T16:23:50+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/home4sap.com\/Blog\/wp-content\/uploads\/2013\/08\/image001.png\" \/>\n<meta name=\"author\" content=\"Davatec Consulting\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Davatec Consulting\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"2 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/\"},\"author\":{\"name\":\"Davatec Consulting\",\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/#\\\/schema\\\/person\\\/cbf5bfd07d277e87a3c0adb490d628b6\"},\"headline\":\"SAP Security Notes July 2013\",\"datePublished\":\"2013-08-03T16:18:35+00:00\",\"dateModified\":\"2013-08-03T16:23:50+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/\"},\"wordCount\":355,\"image\":{\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/home4sap.com\\\/Blog\\\/wp-content\\\/uploads\\\/2013\\\/08\\\/image001.png\",\"articleSection\":[\"SAP News\",\"Security Advisory\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/\",\"url\":\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/\",\"name\":\"SAP Security Notes July 2013 -\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/#primaryimage\"},\"thumbnailUrl\":\"http:\\\/\\\/home4sap.com\\\/Blog\\\/wp-content\\\/uploads\\\/2013\\\/08\\\/image001.png\",\"datePublished\":\"2013-08-03T16:18:35+00:00\",\"dateModified\":\"2013-08-03T16:23:50+00:00\",\"author\":{\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/#\\\/schema\\\/person\\\/cbf5bfd07d277e87a3c0adb490d628b6\"},\"description\":\"In July 2013, SAP released 34 security related OSS notes - visit us to learn more.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/#primaryimage\",\"url\":\"http:\\\/\\\/home4sap.com\\\/Blog\\\/wp-content\\\/uploads\\\/2013\\\/08\\\/image001.png\",\"contentUrl\":\"http:\\\/\\\/home4sap.com\\\/Blog\\\/wp-content\\\/uploads\\\/2013\\\/08\\\/image001.png\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/sap-security-notes-june-2013\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/davatec.com\\\/corp\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"SAP Security Notes July 2013\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/#website\",\"url\":\"https:\\\/\\\/davatec.com\\\/corp\\\/\",\"name\":\"\",\"description\":\"\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/davatec.com\\\/corp\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/davatec.com\\\/corp\\\/#\\\/schema\\\/person\\\/cbf5bfd07d277e87a3c0adb490d628b6\",\"name\":\"Davatec Consulting\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fa3d04e976560ef6f5ebd7276e4ba1571a4ebf8d097321b3d4df986ebd1642b0?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fa3d04e976560ef6f5ebd7276e4ba1571a4ebf8d097321b3d4df986ebd1642b0?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/fa3d04e976560ef6f5ebd7276e4ba1571a4ebf8d097321b3d4df986ebd1642b0?s=96&d=mm&r=g\",\"caption\":\"Davatec Consulting\"},\"url\":\"https:\\\/\\\/davatec.com\\\/corp\\\/author\\\/webmeister\\\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"SAP Security Notes July 2013 -","description":"In July 2013, SAP released 34 security related OSS notes - visit us to learn more.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/","og_locale":"en_US","og_type":"article","og_title":"SAP Security Notes July 2013 -","og_description":"In July 2013, SAP released 34 security related OSS notes - visit us to learn more.","og_url":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/","article_published_time":"2013-08-03T16:18:35+00:00","article_modified_time":"2013-08-03T16:23:50+00:00","og_image":[{"url":"http:\/\/home4sap.com\/Blog\/wp-content\/uploads\/2013\/08\/image001.png","type":"","width":"","height":""}],"author":"Davatec Consulting","twitter_misc":{"Written by":"Davatec Consulting","Est. reading time":"2 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/#article","isPartOf":{"@id":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/"},"author":{"name":"Davatec Consulting","@id":"https:\/\/davatec.com\/corp\/#\/schema\/person\/cbf5bfd07d277e87a3c0adb490d628b6"},"headline":"SAP Security Notes July 2013","datePublished":"2013-08-03T16:18:35+00:00","dateModified":"2013-08-03T16:23:50+00:00","mainEntityOfPage":{"@id":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/"},"wordCount":355,"image":{"@id":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/#primaryimage"},"thumbnailUrl":"http:\/\/home4sap.com\/Blog\/wp-content\/uploads\/2013\/08\/image001.png","articleSection":["SAP News","Security Advisory"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/","url":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/","name":"SAP Security Notes July 2013 -","isPartOf":{"@id":"https:\/\/davatec.com\/corp\/#website"},"primaryImageOfPage":{"@id":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/#primaryimage"},"image":{"@id":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/#primaryimage"},"thumbnailUrl":"http:\/\/home4sap.com\/Blog\/wp-content\/uploads\/2013\/08\/image001.png","datePublished":"2013-08-03T16:18:35+00:00","dateModified":"2013-08-03T16:23:50+00:00","author":{"@id":"https:\/\/davatec.com\/corp\/#\/schema\/person\/cbf5bfd07d277e87a3c0adb490d628b6"},"description":"In July 2013, SAP released 34 security related OSS notes - visit us to learn more.","breadcrumb":{"@id":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/#primaryimage","url":"http:\/\/home4sap.com\/Blog\/wp-content\/uploads\/2013\/08\/image001.png","contentUrl":"http:\/\/home4sap.com\/Blog\/wp-content\/uploads\/2013\/08\/image001.png"},{"@type":"BreadcrumbList","@id":"https:\/\/davatec.com\/corp\/sap-security-notes-june-2013\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/davatec.com\/corp\/"},{"@type":"ListItem","position":2,"name":"SAP Security Notes July 2013"}]},{"@type":"WebSite","@id":"https:\/\/davatec.com\/corp\/#website","url":"https:\/\/davatec.com\/corp\/","name":"","description":"","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/davatec.com\/corp\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Person","@id":"https:\/\/davatec.com\/corp\/#\/schema\/person\/cbf5bfd07d277e87a3c0adb490d628b6","name":"Davatec Consulting","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/fa3d04e976560ef6f5ebd7276e4ba1571a4ebf8d097321b3d4df986ebd1642b0?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/fa3d04e976560ef6f5ebd7276e4ba1571a4ebf8d097321b3d4df986ebd1642b0?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/fa3d04e976560ef6f5ebd7276e4ba1571a4ebf8d097321b3d4df986ebd1642b0?s=96&d=mm&r=g","caption":"Davatec Consulting"},"url":"https:\/\/davatec.com\/corp\/author\/webmeister\/"}]}},"_links":{"self":[{"href":"https:\/\/davatec.com\/corp\/wp-json\/wp\/v2\/posts\/671","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/davatec.com\/corp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/davatec.com\/corp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/davatec.com\/corp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/davatec.com\/corp\/wp-json\/wp\/v2\/comments?post=671"}],"version-history":[{"count":5,"href":"https:\/\/davatec.com\/corp\/wp-json\/wp\/v2\/posts\/671\/revisions"}],"predecessor-version":[{"id":676,"href":"https:\/\/davatec.com\/corp\/wp-json\/wp\/v2\/posts\/671\/revisions\/676"}],"wp:attachment":[{"href":"https:\/\/davatec.com\/corp\/wp-json\/wp\/v2\/media?parent=671"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/davatec.com\/corp\/wp-json\/wp\/v2\/categories?post=671"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/davatec.com\/corp\/wp-json\/wp\/v2\/tags?post=671"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}