My colleague at SAP, David Jonker, describes Big Data as ‘the new oil that can fuel economic growth’ and says that as such, hackers are staking their claim and trying to steal it. He warns that data breaches are increasing on a daily basis and are ‘well-funded, carefully targeted and planned out’, the cost of which is measured in millions of euros and considerable reputational damage.

What do we need to protect? How do we protect it?

In a recent interview, technology journalist David McClelland asked me to talk about the big deal around security and Big Data.

I believe there are several aspects we need to consider when we think about privacy - and security. We need to distinguish here. Privacy is about keeping individually identifiable or sensitive information exactly that – private. Where content is king here, content and CONTEXT are King Kong! You can put so much contextual information on a simple online deal: basic data, like customer name, address, credit card information etc, but also real-time information such as where the buyer is, favorites, what the individual is also looking for, age, behavior, and much more. All to make personalized offers – and sell more - and I don’t mean necessarily to the same customer. This is a great business model for a lot of companies but it is tricky at the same time, because it has big potential to become a compliance issue, when all this information is stored, enriched and shared. Not to mention whether this is in conflict with what we, as individuals, really want…

Privacy relates to security, but it is not the same. Companies need to protect their core processes, including business-critical information. These challenges are not new in the era of big data – there’s the threat of data theft, destruction and criminal data manipulation.  But it’s the sheer scale of the data available these days that’s making it an increasingly attractive target for attackers.

So security can’t be an afterthought any more. From project outset, we have to take a more holistic view of protecting data. We need to incorporate this holistic approach into our security concepts and the entire IT landscape.  We should protect the technologies we employ for aggregating and integrating data, the software and hardware infrastructure used for storing and housing it, the business applications, and the tools we analyze data with.

People, processes and technology

Companies must also intensify security collaboration with their software and hardware vendors, as well as international bodies that are working on security topics. We won’t ever have a one-fits-all bullet-proof vest to arm us against all forms of data attack in the net, so we need to start treating data security as a process, rather than a status.

As well as attacking the technology, hackers are heavily using vulnerabilities in human nature to gain access to data. So we have to systematically train people and make them aware of the threats. We must remain proactive with techniques and technologies we have and keep working at it to secure our business critical information.

Calling time on hackers with the right level of encryption

It’s worth considering what hardware firms can do to help secure data. By using hardware-enabled encryption, it’s possible to encrypt more data, faster and with longer keys to make it more secure.

While it may well be possible to encrypt data that would remain uncrackable for as long as the known universe has existed, that’s unlikely to be necessary. The level of encryption should be sufficient to make it not worth the hacker spending time on it – and this is possible to do.

Another security method is data tagging, whereby data can only be processed in its home location. So if data is stolen, it’s rendered useless in any other environment.

Intel has also been working on creating ‘hardware we can trust’ that can check that all software is ‘known good’ software. They see this ‘white-listing’ approach as crucial to creating an end-to-end holistic security environment. It sounds to me like we’re all on the same page in believing in security as a policy that should be designed in from day one – and not follow on as an afterthought.

To hear more thinking on ways of safeguarding Big Data, watch the Run Simple Show - Big Data Security Part 2: Protecting your data at http://virtualrunsimpletour.com/runsimpleseries

This document was generated from the following discussion: Recommended Settings for the Security Audit Log (SM19 / SM20)

This blog had started to give recommendations about settings for the Security Audit Log, but in the meantime it had evolved to show tips & tricks in general.

Another sound source for information is the FAQ note 539404 - FAQ: Answers to questions about the Security Audit Log.

Contents

Recommended Settings for the Security Audit Log (SM19 / SM20)

Profile Parameters / Kernel Parameters

rsau/enable = 1

rsau/selection_slots = 10

rsau/user_selection = 1

As of release SAP_BASIS 7.3 you can use the so-called "Kernel Parameters" instead of the listed Profile Parameters. You find them on a new tab in transaction SM19. See chapter Preparing the Security Audit Log in the Online Documentation. You can set them dynamically and once set they overwrite the values of the profile parameters.

Filter settings in SM19

1. Filter: Activate everything which is critical for all users '*' in all clients  '*'.

• You may deactivate the messages of class “User master record change (32)” because you get change documents for users in transaction SUIM anyway.
• Consider to add messages AUO, AUZ, BU5, BU6, BU7, BU9, BUA, BUB BUC, BUH, AUP, AUQ
• If you maintain logical file names using transaction FILE (see note 1497003) than add messages CUQ, CUR, CUS, CUT
• If you maintain an Access Control List for RFC callback (see note 2128095) than add messages DUI, DUJ, DUK

2. Filter: Activate everything for special user SAP* in all clients '*'

You cannot use a filter 'SAP*' because this would include the virtual user SAPSYS because of profile parameter rsau/user_selection = 1. This virtual user SAPSYS performs many house-keeping activities triggered by the system itself. You do not want to log these events.

However, you can use the special filter value 'SAP#*' instead.

You can use this special filter value 'SAP#*'in transaction SM20 or report RSAU_SELECT_EVENTS as well to show log entries in for user SAP* only.

3+4. Filter: Activate everything for other support and emergency users, e.g. 'SAPSUPPORT*' (SAP Support users) respective 'FF*' (FireFighter) in all clients '*'.

5. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients '*'. This user should not be used in dialog mode. It's only required for specific activities while applying support packages or while importing transports (however in this case you can use another background user as well).

6. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted (see  http://scn.sap.com/community/security/blog/2013/06/06/how-to-remove-unused-clients-including-client-001-and-066 ).

7. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily (see http://scn.sap.com/community/security/blog/2010/12/05/how-to-get-rfc-call-traces-to-build-authorizations-for-srfc-for-free ).

8.-10. Filter: free for other project specific purpose

Using the print function (command PRINT) in transaction SM19 or using report RSAU_INFO_SYAG you can show an overview about the current settings.

List of events

If you miss some of the events described in this document then search for notes of application component BC-SEC-SAL.

Using note 1970644 you can get report RSAU_INFO_SYAG which shows all events of the Security Audit Log including the current status of activation. The detail view allows you to create an HTML-based event definition print list including the full documentation.

Events ordered by selected topics and security optimization projects:

List of events from table TSL1D

File format

Use report RSAU_SELECT_EVENTSto analyze the file format.

The audit files have a structured but variable record layout in unicode text format.

The administrative information is fixed, however, there exist 2 record formats depending on the existence of the additional field SLGLTRM2.

The data part, field SLGDATA, containing 64 characters has a variable sub-structure containing several parameter values. Often these values are separated by '&' matching to the message variables &A, &B, etc. of the message definition. If you don't find an '&' than you will have fixed length parameter values matching to the message variables &n (n is a number describing the count of characters) within the message definition.

Relevant DDIC structures:

RSLGENTR SysLog entry

RSAUENTR2 Security Audit Log Entry Version 2 with Long Terminal Names

Example of an entry in a .aud file:

2AU520130409010803000505200009D9a234ba.pDOKUSTAR                        SAPMSSY1                              0201R&0                                                             h020co.pt.com     

This leads to the following file format:

You see,

• the format of the variable message data
• the message class (logon, transaction start, report start, RFC logon, user master record change, RFC start, miscellaneous, and system)
• the severity (critical, important, non-critical)
• and the monitoring alert settings (with, without)

are not visible within the file, but only in the message definition (the key fields are AREA and SUBID).

Terminal ID versus IP Address

The Security Audit Log normally logs the terminal id if it's available; otherwise the IP address is logged. You can set the (undocumented) profile parameter rsau/ip_only to the value 1 to log the IP address instead (if available). See note 1497445 for details.

Use the following options to get the terminal id and the IP address of active users:

• Transaction SM04 shows the IP address of the GUI client as well if you change the layout. (Limited to currently active users.)
• Table USR41 containing the last logon date shows both terminal id and the IP address in field TERMINAL. Maybe it's possible to activate table logging using SE13 to get the history, too. Than you could merge this data with the log entries.
• Maybe you can try to use user exit SUSR0001 to log IP address (from function TH_USER_INFO and/or table USR41) in a custom table or via creating additional Security Audit Log entries for message AU1 (sucessful logon) for which you e.g. set the parameter &A or a new parameter &B with the IP address. See function RSAU_WRITE_TRAC_AUDIT_LOG to understand how to create such entries. (Limited to dialog logon only.)

There exist strong limitations of logging terminal ID and IP address in ABAP. A malicious user could spoof the terminal ID easily. The IP address can be problematic, too. For example if a reverse proxy (e.g. web dispatcher) for HTTP access is used, then all users will have the same IP address.

(German) Data Protection

Would the German Data protection authorities have an issue with activating this level of logging?

From a general point of view I would start with following assumptions:

1. Filter: Activate everything which is critical for all users '*' in all clients  '*'.

➙ mostly ok, details should be confirmed

2. Filter: Activate everything for users 'SAP*' in all clients '*'

➙ ok

3. Filter: Activate everything for other support and emergency users, e.g. 'FF*' (FireFighter) in all clients '*'

➙ ok (assuming that you already have agreed on using GRC Super User Management)

4. Filter: Activate all events for the dialog activities 'logon' and 'transaction' for user 'DDIC' in all clients.

➙ ok

5. Filter: Activate everything for client '066'. This client is not used anymore and can be deleted.

➙ ok

6. Filter: Activate RFC events (AUL, AUK, AU6, AU5) for a short time for selected users to identity RFC connection problems easily

➙ you have to confirm this

7.-10. Filter: free for other project specific purpose

➙ you have to confirm this

Keep in mind that you have to discuss (among others) log creation, consolidation, archiving as well as retention periods and deletion.

Example from a German project (2010/2011) which was cleared through German, Austrian, French & Belgian data controllers:

Logging everything was OK as there is are legitimate reasons for it.  The following additional controls were required:

• Access to logs limited to Basis & Security team
• Acceptable use (of logs) policy circulated to everyone with access
• Data had to be summarized before use (e.g. could not be easily attributable to an individual.  Obviously difficult to achieve if someone is in a team of 1...)
• Distribution of data outside security team had to be approved by local data controller (local to the people who's data it was).
• Detailed records existing outside the system had to be deleted after the summation work had been completed

Exceptions to these included:

• legitimate use of data in event of security breach (agreed by local counsel and data controllers)
• use of data with written approval of user (we used this a lot when redesigning access based on patterns of 'model' users).

I just found an additional recommendation about the protection of the files in a recent note:

In general, files of the Security Audit Log must not be accessed by other ABAP programs than the Security Audit Log application itself. Protect the files by assigning the appropriate S_DATASET authorizations to your users and by using S_PATH protection as described in note 177702. For this purpose, use an own dedicated folder for Security Audit Log files. Enter this directory into the SPTH table and enable the flags FS_NOWRITE and FS_NOREAD, thus disabling any read or write access from ABAP to this directory. Configure the Security Audit Log (parameter DIR_AUDIT) to use this directory.

GRC Fire Fighter logging

The application GRC Access Control Super User Management (aka FireFighter) consolidates logs from various sources:

• Transaction Log: Captures transaction execution from transaction STAD
• Change Log: Captures change log from change document objects (tables CDPOS and CDHDR)
• System Log: Captures Debug & Replace information from transaction SM21
• Security Audit Log: Captures Security Audit Log from transaction SM20
• OS Command Log: Captures changes to OS commands from transaction SM49

Because of this we recommend to define a filter in the Security Audit Log which records all events for fire fighter users.

Performance

Q: Is there a significant performance impact (or any impact at all) if we enable the security audit log with the recommended settings? We've had resistance from some clients as they were worried that it will impact on the end user experience / slow down the system.

Unfortunately the FAQ note 539404 does not talk much about performance.

Well, the general rule is simple: There is no performance impact, not in time nor in space, if you log unsuccessful (=critical) events as these events happens rarely.

As soon as you start logging successful events you might look to space - the growing size of the audit files - but still not to time, as the Security Audit Log is optimized for speed.

How to create customer-specific events

Using notes 1941526 and 1941568 you can utilize the custom messages DUX, DUY and DUZ in SAP_BASIS release as of 7.30. Call function RSAU_WRITE_CUSTOMER_EVTS to create these messages.

You can "reuse" other codes, i.e. CUY if you ensure that you still will be able to distinguish the messages. Nevertheless, you should interpret it as a (logical) modification of the SAP Standard.

in addition there exist other options to log custom specific events:

- Application Log in ABAP

- CCMS Alerts

- Alerts send to the SAP Solution Manager

How to read the long texts of events

You can view the long text of Security Audit Log event messages using transaction SE92 (or in transaction SE61 if you choose the document class SL (Syslog).

Using note 1970644 you can get report RSAU_INFO_SYAG which shows all events of the Security Audit Log including the current status of activation. The detail view allows you to create an HTML-based event definition print list including the full documentation.

How to log critical debugger events

Using the debugger in general might already be seen as critical but using debug-replace is considered as very critical by all auditors. The corresponding Security Audit Log messages for changing field content and for jumping within the code

• Other Events, Critical, CUL Field content changed: &A
• Other Events, Critical, CU_M Jump to ABAP Debugger: &A

are already covered by the 1st filter "Activate everything which is critical for all users in all clients" as proposed above.

These both messages are extended by another message to add more details describing the event:

• Other Events, Critical, BUZ> in program &A, line &B, event &C

The messages CUK, CUN, CUO, and CUP are related to the debugger as well.

How to track changes on the settings

Dynamic settings

The effective (dynamic) settings get logged in the Security Audit Log itself.

If you create - as recommended - a filter for "all clients, all users, all audit classes with severity 'critical'" than you already get the corresponding events of audit class "System":

Static settings

The static settings are stored in table RSAUPROF. The system create table logs for any changes which you can view, i.e using report RSTBHIST.

The name of the active profile which is used while starting an application server is stored in field CURRPROF of the entry with PROFNAME = $CURPROF.

You can transport static profiles using a workbench transport which get transport entries for R3TR TABU RSAUPROF with table key PROFNAME=<profile name> SLOTNO=*. (You can transport the entry for $CURPROF as well, but I recommend to choose the active profile in the target system manually.)

The filters are stored in the entries having field SLOTNO> 0.

Field STATUS shows if a filter is active.

Field CLASSES shows the active audit classes. This is a bit-field summing up the values for the different audit classes (see include RSAUCONSTANTS):

CONSTANTS: RSAU_CLASS_OTHER(4)    TYPE x VALUE 1,
           RSAU_CLASS_LOGIN(4)    TYPE x VALUE 2,
           RSAU_CLASS_TASTART(4)  TYPE x VALUE 4,
           RSAU_CLASS_REPORT(4)   TYPE x VALUE 8,
           RSAU_CLASS_RFCLOGIN(4) TYPE x VALUE 16,
           RSAU_CLASS_USER(4)     TYPE x VALUE 32,
           rsau_class_system(4)   type x value 64,
           RSAU_CLASS_RFCCALL(4)  TYPE x VALUE 128.

The audit class "System" is implicitly active and is not added, therefore you get the value CLASSES = 191 = 128 + 32+16+8+4+2+1 if you activate all audit classes.

Field SEVERITY shows the severity (see include RSAUCONSTANTS):

CONSTANTS: RSAU_SEVE_LOW      TYPE I VALUE 2,
           RSAU_SEVE_MED      TYPE I VALUE 5,
           RSAU_SEVE_HIGH     TYPE I VALUE 9.

If you have selected the detail settings, then field SELVAR contains the constant 01 (and field CLASSES = 0 and SEVERITY = 0). Field MSGVECT defines active events. (In this case you can deactivate "System" events.)

Active events are identified using individual bits at specific positions within field MSGVECT. The position is calculated using the alphanumerical order 0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZ of the events according to the SUBID. The event area (AU,  BU,  CU) defines the bit which is added to the value on that position: AU = 80 (hex), BU = 40 (hex), CU = 20 (hex).

(Only the first 36 positions of field MSGVECT are used.)

Every position holds two bytes therefore you see two hexadecimal characters per position.

Example showing active system events only (AUEAUFAUGAUHAUIAUJ):

MSGVECT  000000000000000000000000000080808080808000000000000000000000000000000000...

Position  0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Position -1-2-3-4-5-6-7-8-9--11--13--15--17--19--21--23--25--27--29--31--33--35--...

Change Reporting in the SAP Solution Manager

In addition to the local table logs of table RSAUPROF you can use the applications Change Reporting and Configuration Validation in the SAP Solution Manager to analyse changed settings. Use the configuration store AUDIT_CONFIGURATION. Be aware that the extractor gets a snapshot of the dynamic settings daily. Changes between two executions of the extractor are not cached. The configuration store does not show the user account who triggered the change. Therefore I recommend to use Change Reporting or Configuration Validation as a trigger for deeper analysis of the local table logs.

see: Configuration Validation Home

http://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Home

➙ Content of CCDB for a Technical System of type ABAP ➙…

http://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_ABAP_Content#ConfVal_ABAP_Content-AUDIT_CONFIGURATION

What is the meaning of message BU4?

Question: I our productive environment am getting many times the message BU4 "Dynamic ABAP Coding: Event &A Event Type: &B Checksum: &C" but according to your post (and my old screen capture) the BU4 message should be for "Transport Request &A Contains Security-Critical Source Objects".

I searched but could not find anything about this issue...what do you recommend beside good luck :-)?

Answer: The definition of the message BU4in transaction SE92 might be still wrong depending on the release of the system. According to note 539404 recording the events to transport security-relevant objects (BU3, BU4) is not yet implemented.

The Kernel creates message BU4"Dynamic ABAP Coding: Event &A Event Type: &B Checksum: &C" to flag usage of

• 'I' for INSERT REPORT
• 'G' for GENERATE SUBROUTINE POOL
• 'D' for DELETE REPORT

if setting in SM19 at 'Other entries' for 'Audit of generated dynamic ABAP' is active.

(In addition entries in the db tables DYNABAPHDR and DYNABAPSRC are written if profile parameter abap/dyn_abap_log is set to the value "on".)

How can I read events using BAPIs?

The security alerts are also available to external programs using BAPIs (Business Application Programming Interfaces). The report RSAU_READ_AUDITLOG_EXTERNAL is a sample SAP program that you can use as a template for accessing the security alerts using BAPIs.

If you have multiple end points i.e more than one ABAP application server in your environment, you will come across below error when you configure ICF services for  SAML authentication.

Error

No RelayState mapping found for RelayState value

We resolved this issue by using a F5 load balancer

High level steps

1.    Create a SSL server standard PSE in strustsso2.

2.    Use a system wide DN instead of using instance-specific DN because we don't want to hit these application servers directly but want to reach them                    via load balancer

3.     Create a certificate request.in AS Abap and get it signed by any trusted CA.

4.     Import the certificate response in AS Abap.

5.     Import the key file (private key) and certificate in load balancer.

6.     Test the SSL connection with load balancer

7.     Setup SAML in AS Abap,

8.     Make sure Metadata.xml to be imported in ADFS is generated using load balancer URL. This will enable single end point for all the requests.

Hi All,

Need Help, there are multiple logs recorded in SLG1 tcode under my name. kindly help out to find the reason why these logs has been occured.

Through technical help I could not get any valid information.

kindly help me

Thanks

Hi

if a user is assigned with 3-4 PD profiles, is it possible to identify from which PD profile user is able to view certain data.

please let me know if there is a way to identify with a t-code ...

Thanks

Hi all,

In Authorizations tab what is the difference of having Standard, Mantained, manually and Changed.

Thanks in advance.

Regards,

Raja

We have implemented SAML 2.0 Web SSO between a NetWeaver system and Microsoft ADFS.  ADFS acts as the identity provider.  Web SSO is based on a redirect with a POST binding. 

We thought everything was working great.  All of our SAP-hosted web pages come up without requiring anyone to enter a user name and password.  However, now that we are trying to work with SAPUI5, JavaScript, and OData-based web services, we are encountering a problem.  Our calls to the OData-based web services do not appear to be authenticated - Basic Authentication prompts are appearing. 

If we run the same function without Web SSO, everything works as expected.  The initial web server 'hit' generates Basic Authentication prompts.  And, once authenticated, the downstream web service call does not generate any authentication prompts.

Comparing the two scenarios using Fiddler, the difference appears to be the MYSAPSSO2 cookie.  Basic Authentication to the web page creates the MYSAPSSO2 cookie which satisfies the authentication needs of the web service call.  SAML 2.0 Web SSO to the web page does not create the MYSAPSSO2 cookie so the web service requests additional authentication.

Am I misunderstanding something about Web SSO?  Is there something I can do to get the Web SSO to generate the MYSAPSSO2 cookie?  Is this an authentication handler issue?

Hi,

I have seen the strange issue in CUA IDOCs with respective of a child system...

That is, If i do the user maintenance with respective of the child system  in the central system and save it.

1) then the system is generating the IDOC's for central and the respective child systems.

2) The changes are getting reflected to the respective child system.

But when i check SCUL in CUA, still it is showing as DISTRIBUTION UNCONFIRMED STATUS

I have verified the below things

A) OUTBOUND and INBOUND jobs in central and Child are working fine.

B) IDOCS are getting posted in child system with status 53

C) RFC connection is fine

D) Partner profiles are fine

E) SCUA - showing green

NOTE:

The issue is happening only for one system -client and all other systems and clients were working fine without any issue

Kindly let me know your opinion

Sv

Hi,

we are setting up SSO for ABAP system using kerberos. since SAP is runnin on Linux and AD is on 2008 R2.

created user principle in AD

Created service principle and assined to user

Exported key tab from AD

imported in Linux sever

created krb.conf

BUT when we execute the command/usr/bin/kinit -k -t /usr/sap/DEV/DVEBMGS10/sec/DEV.keytab SNCDEV/matsea.kdp.com@XXXXXXXXX

giving error message "Client not found in Kerberos database while initializing kadmin interface"

trace:

N *** ERROR => SncPEstablishContext()==SNCERR_GSSAPI  [/bas/742_REL/sr 3364]

N GSS-API(maj): Unspecified GSS failure.  Minor code may provide more information

N GSS-API(min): Message size is incompatible with encryption type

N Unable to establish the security context

N <<- SncProcessInput()==SNCERR_GSSAPI

M *** ERROR => ThSncIn: SncProcessInput (SNCERR_GSSAPI) for T1_U1018_M0 failed [thxxsnc.c    1141]

M {root-id=0050563300451ED5A1DAB5B8E19D6D2D}_{conn-id=00000000000000000000000000000000}_0

M *** ERROR => ThSncIn: SncProcessInput for T1_U1018_M0 [thxxsnc.c    1146]

M in_ThErrHandle: 1

M *** ERROR => ThSncIn: SncProcessInput (step TH_WORK_SYNC, thRc ERROR-SNC-OTHER ERROR IN SNC LAYER, action RELEASE_WP, level 1) [thxxhea

1. d.c 2407]

M ThIErrHandle: set thRc ERROR-SNC-OTHER ERROR IN SNC LAYER for T1_U1018_M0

M

someone hlep in this, please

Thanks

Nani

In the October patch release cycle, SAP released a set of security notes – two that apply to HANA, and one for TREX – to address twenty-one disclosed vulnerabilities originally found by Onapsis Research. Onapsis announced these advisories today (November 9^th) - PC World followed this up with write-up this morning (“Dangerous bugs leave open doors to SAP HANA systems”).

Here are the notes in question:

The highest vulnerability issue is a remotely exploitable buffer overflow that can be performed without authentication – addressed specifically in note 2197428 (which has a CVSS of 9.3 – about as high risk as it gets). This is a dangerous vulnerability that should be patched in all systems as soon as feasible. The TREX note (2203591) is also remotely exploitable by an attacker and does not require authentication, and is also considered high risk (note 2203591).

In looking through these notes, and thinking to the SAP customers I work with, the following questions often come up with respect to these types of vulnerabilities:

• Is our patch management strategy effective in staying current with new vulnerabilities?
• How can we proactively defend against these types of threats?

Answering each in turn:

Is our Patch Management Strategy Effective?

Currently, PCI is one of the more stringent security standards and is constantly re-evaluated in the light of current attack trends and the current threat environment, and is be considered a best or leading practice security standard. In version 3.1 of the DSS, section 6.2 states: “Ensure that all system components and software are protected from known vulnerabilities by installing applicable vendor supplied security patches. Install critical security patches within one month of release.” Organizations can use this as a benchmark to evaluate if their vulnerability management process is in line with leading practice.

Given that these were released on October 13^th, if your organization doesn’t have these high risk notes deployed by November 13^th, 2015 (a Friday! I know!) - then your organization is not following leading or best practice patch management.

How Can We Proactively Defend Against These Types of Threats?

That said, for organizations that have their TRAX RFC gateway(s) or HANA sqlserver ports exposed to untrusted networks, 30 days is far too long to live with this vulnerability. Consider that the worst vulnerability, the buffer overflow vulnerability in HANA, was disclosed to SAP on July 8^th. This vulnerability has been known for a little over four months. That’s roughly 120 days an attacker might have to actively exploit this particular vulnerability - for some organizations, this might be an unacceptable level of risk.

Some options SAP customers have to address these vulnerabilities before they are disclosed or patched include:

• Implement Onapsis’ Advanced Threat Protection module in their OSP platform. The ATP engine is designed to prevent SAP-specific zero-day exploits, for those vulnerabilities identified by or known in advance by Onapsis.  Note that Onapsis ATP may not be able to defend systems against zero-day exploits disclosed to SAP via other means.
• Implement a DAF (Database Application Firewall) for the HANA. This is also narrowly focused on the HANA sql port, and wouldn’t help address the TREX vulnerabilities disclosed.
• Best yet – when implementing HANA, architect for security! SAP customers should only allow connections to sensitive ports from trusted networks with a demonstrated need to have. The TREX note recommends restricting RFC access to only the Netweaver application servers and the TREX/BWA hosts via reginfo. Complementing this recommendation by implementing this same policy in your firewall rules is an additional layer of security – customers who only permitted access to HANA sqlserver and initiate RFC connections from trusted network in, say, September of 2015, would be have technical controls in place that would put the risk of exploitation of these vulnerabilities to a “Medium” or “Low” risk now - without applying notes.

But what about Hana XS? Can I allow Public Access to HANA XS Securely?

HANA XS (Extended Application Services) delivers a platform for natively executing (in memory, no less) applications – in HTML 5, if you so choose. Yet with great power comes great responsibility. Customers considering taking advantage of HANA XS should keep the following in mind: If you are allowing untrusted access to HANA XS applications, you are allowing these untrusted, unauthenticated connections to what, in theory, is a database platform containing the most important data in your organization.  Plan your technical controls and security management program appropriately!

References:

http://www.pcworld.com/article/3003057/dangerous-bugs-leave-open-doors-to-sap-hana-systems.html#tk.rss_all

https://www.onapsis.com/research/security-advisories?title=&page=1

http://seclists.org/fulldisclosure/2015/Nov/40

Dear security experts,

in my current project we have a challenge to set up redirect url for failed logon attempt. The scenario is as below:

• there are 2 applications in the landscape: a Hybris application and a SAP IDP hosted on AS JAVA
• Hybris is exposed to end user directly and SAP IDP is hidden in background
• User logon form is hosted on Hybris. But when user clicks on logon button, Hybris actually sends a HTTP GET request to IDP with the username and password for authentication.
• After successful logon to IDP, IDP triggers the IDP initiated SSO and redirect the user back to Hybris with a SAML token. After Hybris validates the SAML token, it authenticates the end user.
• Again, the requirement is that the IDP should be hidden in background and end user should not see any IDP page.

The scenarios works so far fine with successful logon attempt. Our challenge is at failed logon attempt. In this case, the end user will get a logon page from NW JAVA directly and ask him to authenticate again. Is there anyway we could set up a redirect algorithms on IDP (NW AS JAVA) so that after a failed logon attempt the IDP should redirect the user back to Hybris for re-logon instead of showing the default IDP logon page?

I think it should be more related to the NW JAVA authentication module rather than a IDP specific configuration because upon failed login the end user does not have access to IDP yet. Thus none of the IDP settings will take effect at this point.

Any help is much appreciated.

Thanks a million in advance and best regards

Xuan

The SAP Product Security Response Team thanks all researchers and security IT professionals that help with discovering and solving security vulnerabilities. Their findings continuously help SAP maintain the security and safety of its customers' and partners' SAP systems.

Our acknowledgements page lists those professionals we have worked with successfully in the past. We thank all security researchers for their excellent work and hope to continue the beneficial relationship between security professionals and SAP.

Security researchers who have helped SAP to improve the security and integrity of our customers' IT systems by respecting our disclosure guidelines this month are:

November 2015

Blackroot Technologies, Pflash Punk, Virender C Nishad

ERPScan, Alexander Polyakov, Mathieu Geli

Martin Maruskin

Muhammad Zeeshan

Onapsis, Fernando Russ, Pablo Artuso, Sergio Abraham

Pradeep Kumar

Shawar Khan

Virtual Forge, Agnes Six, Andreas Wiegenstein, Horst Bartmann, Thomas Kastner

FH Muenster, Damian Poddebniak, Prof. Dr. Sebastian Schinzel

Each Patch Day (second Tuesday of a month) the involved external researchers are listed with company name, link to their home page, and name of the person. Details about finding are not included. The order of the list is alphabetical according to company name.

For previous months' acknowledgments, visit theacknowledgments archivepage.

To view the security notes released this Patch Day, visit theSupport Portal.

SAP encourages the responsible disclosure of security vulnerabilities and therefore requests the researchers to follow the following general guidelines:

1. If you have detected a vulnerability in one of our software products – either in the latest or in a former product version –you shall inform us about the issue and follow the guidelines and processes in accordance with our Portal page “Report a Security Vulnerability to SAP”.
2. Give SAP sufficient time to develop suitable fixes.
3. Do not publicize vulnerabilities until SAP customers have had enough time to deploy fixes.
4. As a rule of thumb, we suggest respecting an implementation time of three months. We ask all security researchers to not disseminate any kind of information or tools that would help to exploit the vulnerability during that time.
5. Provide us all of your external disclosures beforehand, such as advisories or presentations with SAP product security content for a review.

We honestly appreciate your work and certainly want to show this appreciation through credits on a public Web site. Nevertheless, SAP reserves the right to change or delete credits at any time.

For further information, read theDisclosure Guidelinesfor SAP Security Advisories.

The SAP Product Security Response Team thanks all researchers and security IT professionals that helped with discovering and solving security vulnerabilities. Their findings have helped SAP to maintain the security and safety of its customers' and partners' SAP systems.

Our acknowledgements page lists those professionals we have worked with successfully in the past. We thank all security researchers for their excellent work and hope to continue the fruitful relationship between security professionals and SAP.

For the current month's acknowledgments, visit theacknowledgments homepage.

For acknowledgements previous to 2014, visit theacknowledgments archive (2011 to 2013)page

October 2015

ERPScan, Mathieu GELI

Center for Computing Technologies at the Universität Bremen (TZI), Karsten Sohr

Mehmet Nurcan

NCC Group, Soroush Dalili

netizen 01k

Onapsis, Alejandro Gabriel Burzyn, Fernando Russ, Jordan Santarsieri, Juan Perez-Etchegoyen, Nahuel D. Sánchez, Pablo Artuso, Pabio Muller, Sergio Abraham

Pavan Paidy

Tayyab Qadir

ZDI Disclosures, Steven Seeley

September 2015

54H00, Sumit Sahoo

ERPScan, Roman Bezhan, Vahagn Vardanyan

ERPSecurity, Joris van de Vis

Integrity, Tiago Sintra

Novabase, Daniel Garrido

Onapsis, Juan Perez-Etchegoyen, Nahuel D. Sánchez, Sergio Abraham

Syed Daniyal Bin Rashid

August 2015

2NS - Second Nature Security, Juho Nurminen

Bluebanyan Softech Pvt. Ltd, Mohit Sahu

ERPScan, Dmitry Chastuhin,Roman Bezhan, Vahagn Vardanyan

ERPSecurity, Joris van de Vis

Hyundai AutoEver Europe GmbH, Ashar Javed

Onapsis, Fernando Russ,Juan Perez-Etchegoyen, Nahuel D. Sánchez, Pablo Artuso, Sergio Abraham

Weaveability Ltd, Rob Moss

July 2015

Amrita School of Arts and Sciences, Indrajith AN

ERPScan, Alexander Polyakov

ESNC, Ertunga Arsal

Hyundai AutoEver Europe GmbH, Ashar Javed

Onapsis, Juan Perez-Etchegoyen, Sergio Abraham

Subgraph, David Mckinney

Trustwave, Martin Rakhmanov

Werth IT, Thomas Werth

June 2015

Daimler TSS GmbH, Jürgen Bilberger
ERPScan, Diana Grigoreva,Rustem Gazizov, Vahagn Vardanyan

Kamran Saifullah

Onapsis, Pablo Muller, Juan Perez-Etchegoyen, Sergio Abraham

Sogeti, Mark Deiss

May 2015

Alexander Klink

Abdul Wasay

Core Security,Martin Gallo

ERPScan, Dmitry Chastuhin, Vahagn Vardanyan

Pegasus

Onapsis,Juan Perez-Etchegoyen, Nahuel D. Sánchez, Pablo Artuso, Will Vandevanter

Trustwave, Martin Rakhmanov

Virtual Forge, Andreas Wiegenstein

Xiting, Julius Bussche

April 2015

Onapsis,Nahuel D. Sánchez

Onapsis,Fernando Russ

Martijn Sprengers

March 2015

ERPScan,Dmitry Chastuhin, Vahagn Vardanyan

ESNC, Ertunga Arsal

Onapsis,Sergio Abraham

February 2015

ERPScan, Dmitry Chastuhin, Dmitry Evdokimov, George Nosenko, Vahagn Vardanyan

ING Services Polska,Lukasz Miedzinski

Onapsis, Nahuel D. Sánchez, Fernando Russ

Roberto Garcia Amoriz

Virtual Forge, Andreas Wiegenstein

January 2015

ERPScan, Nikolay Mescherin

ESNC, Ertunga Arsal

Gopal Bisht

Gerasimos Panou

Onapsis, Sergio Abraham, Nahuel D. Sánchez, Fernando Russ

Rabiya Batool

Sense of Security, Fatih Ozavci

Trustwave SpiderLabs, Martin Rakhmanov

Virtual Forge, Andreas Wiegenstein

December 2014

Diego Bardalez Plaza

ERPScan, George Nosenko, Vahagn Vardanyan

ESNC, Ertunga Arsal

Genral Motors, Markus Seibel

Mohamed Abdelbaset Elnoby

Sense of Security, Fatih Ozavci

Virtual Forge, Andreas Wiegenstein, Xu Jia

ZDI, John Leitch

November 2014

Emaze Networks S.p.A., Enrico Milanese

ERPScan, Vahagn Vardanyan

ERPSecurity,Joris van de Vis

ESNC, Ertunga Arsal, Mert Suoglu

Kamil Sevi, Kamil Sevi

Portcullis Advisories, Tim Brown

Siemens AG

Subgraph, David Mckinney

Virtual Forge, Andreas Wiegenstein, Xu Jia

October 2014

AKS IT Services, V. Lakshmi Kiran

Core Security, Martin Gallo

ERPScan, Alexey Tyurin,Dmitry Chastuhin, Igor Ilyin, Roman Bazhin, Vahagn Vardanyan

ERPSecurity, Joris van de Vis

Onapsis, Will Vandevanter

Subgraph, David Mckinney

Virtual Forge, Andreas Wiegenstein, Frederik Weidemann, Peter Werner, Xu Jia

September 2014

ERPSecurity,Joris van de Vis, SAP Security Note 2030775

ERPSecurity,Joris van de Vis, SAP Security Note 2043506

ERPSecurity,Joris van de Vis, SAP Security Note1908631

ESNC, Ertunga Arsal, SAP Security Note 2015232

ESNC, Ertunga Arsal, SAP Security Note 1971397

Onapsis, Juan Pablo Perez Etchegoyen, Will Vandevanter, SAP Security Note 2039905

Onapsis, Pablo Muller, SAP Security Note 1979454

Sense of Security, Fatih Ozavci, SAP Security Note 2042074

Sense of Security, Fatih Ozavci, SAP Security Note 2039924

Sense of Security, Fatih Ozavci, SAP Security Note 2036547

August 2014
BDO, Buslov Dmitry, SAP Security Note 2028484

ERPSecurity,Joris van de Vis, SAP Security Note 1739143

ERPSecurity,Joris van de Vis, SAP Security Note 2017651

ERPScan, George Nosenko, SAP Security Note 2018221

ERPScan, George Nosenko, SAP Security Note 2025931

ESNC, Ertunga Arsal, SAP Security Note 1870485

NTT Com Security, Stephen Breen, SAP Security Note 2044175

NTT Com Security, Justin Kennedy, SAP Security Note 2053074

Trustwave, Martin Rakhmanov, SAP Security note 2044220

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1987773

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1769064

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1992114

ZDI, Aniway Anyway, SAP Security Note 1999142

July 2014

ERNW, Florian Grunow, SAP Security Note 1988956

ERPScan, Dmitry Chastuhin, SAP Security Note 2011169

Red-Team, Dave Hewson, SAP Security Note 1962104

ZDI Disclosures, Shanoon, SAP Security Note 2028891

NTT Com Security, Stephen Breen, SAP Security Note 2036562

June 2014

Compass Security, Stefan Horlacher, SAP Security Note 1908531

ERPScan, Dmitry Chastuhin, Vahagn Varda SAP Security Note 2014881

Onapsis, Will Vandevanter, SAP Security Note 2015446

Onapsis, Will Vandevanter, SAP Security Note 2001109

Onapsis, Will Vandevanter, SAP Security Note 2001106

Onapsis, Will Vandevanter, SAP Security Note 1998990

Onapsis, Will Vandevanter, SAP Security Note 1941562

Onapsis, Nahuel D. Sánchez, SAP Security Note 1967780

Subgraph, David Mckinney, SAP Security Note 1981048

Subgraph, David Mckinney, SAP Security Note 1971270

May 2014

Atos IT Gmbh,Josè Manuel Lorenzo Lopez, SAP Security Note 1979438

ESNC, Ertunga Arsal, SAP Security Note1889999

Onapsis, Will Vandevanter, SAP Security Note2009696

Positive Technologies, Dmitry Gutsko, SAP Security Note 1997455

April 2014

Core Security, Martin Gallo,SAP Security Note 1986895

ERPSecurity, Joris van de Vis, SAP Security Note 1940405

ERPSecurity, Joris van de Vis, SAP Security Note 1971516

ESNC, Ertunga Arsal, SAP Security Note 1940405

Onapsis, Nahuel D. Sánchez, SAP Security Note 1974016

Onapsis, Will Vandevanter, SAP Security Note1993349

Onapsis, Sergio Abraham, SAP Security Note 1929473

Onapsis, Nahuel D. Sánchez, SAP Security Note 1778940

Subgraph, David McKinney, SAP Security Note1975842

University Bremen, Christian Liebig, SAP Security Note 1975842

University Bremen, Christian Liebig, SAP Security Note 2001778

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1987413

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1985100

Virtual Forge, Andreas Wiegenstein, SAP Security Note 1983739

Virtual Forge, Frederik Weidemann, SAP Security Note 1878371

March 2014
Emaze Networks S.p.A., Enrico Milanese, SAP Security Note 1946420

ERPSecurity, Joris van de Vis, SAP Security Note 1965610

ERPSecurity, Joris van de Vis, SAP Security Note 1884678

ESNC, Ertunga Arsal, SAP Security Note 1971238

Onapsis, Sergio Abraham, SAP Security Note 1964428

Onapsis, Sergio Abraham, Manuel Muradas, SAP Security Note 1963932

February 2014

ERPScan,Alexander Polyakov, SAP Security Note1860923

ESNC,Ertunga Arsal, SAP Security Note1945300

Onapsis, Sergio Abraham,SAP Security Note1791081

Onapsis, Sergio Abraham,SAP Security Note1768049

Onapsis, Sergio Abraham,SAP Security Note1920323

Onapsis, Sergio Abraham,SAP Security Note1915873

Onapsis, Sergio Abraham,SAP Security Note1914777

Onapsis, Sergio Abraham,SAP Security Note1911174

Onapsis, Sergio Abraham,SAP Security Note1795463

Onapsis, Sergio Abraham,SAP Security Note1789569

Onapsis, Sergio Abraham,SAP Security Note1738965

Onapsis, Juan Pablo Perez Etchegoyen, Jordan Santarsieri, Pablo Muller,SAP Security Note1939334

CyberSecurity Maldives,Shabnoon Khalid, SAP Security Note1905408

January 2014

ERPScan,Neyolov Evgeny, SAP Security Note1828885

ERPScan, Dmitry Chastuhin, SAP Security Note1788080

Emaze Networks S.p.A., Enrico Milanese, SAP Security Note1932505

ERNW,Florian Grunow, SAP Security Note 1924853

ESNC, Ertunga Arsal, SAP Security Note 1886051

ESNC, Ertunga Arsal, SAP Security Note 1865109

Onapsis, Nahuel D. Sánchez, SAP Security Note 1894049

Onapsis,Juan Pablo Perez Etchegoyen, SAP Security Note,1865109
Onapsis,Nahuel D. Sánchez, SAP Security Note 1918333

Onapsis, Nahuel D. Sánchez, SAP Security Note1917381

Onapsis, Jordan Santarsieri, SAP Security Note 1922547

Onapsis,Jordan Santarsieri, SAP Security Note 1910914

Onapsis, Will Vandevanter, SAP Security Note 1931399

SecuRing, Krzysztof Kotowicz, SAP Security Note 1916560

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1949046

Virtual Forge, Andreas Wiegenstein & Xu Jia, SAP Security Note 1898046

Virtual Forge,Xu Jia, SAP Security Note 1884596

Virtual Forge, Andreas Wiegenstein, SAP Security Note1956096

This post by SAP Product Security Response Team shares information on Patch Day Security Notes* that are released on second Tuesday of every month and fix vulnerabilities discovered in SAP products. SAP strongly recommends that the customer visits the Support Portal and applies patches on a priority to protect his SAP landscape.

On 10th of November 2015, SAP Security Patch Day saw the release of 9 security notes. Additionally, there are 4 updates to previously released Patch Day Security Notes and 2 out of band releases followed by Spotlight News.

____________________________________________________________________________________

Security Notes vs Vulnerability Type - November 2015

Security Notes vs Priority Distribution (June - November 2015)**

*  Patch Day Security Notes are all notes that appear under the category of "Patch Day Notes" in SAP Support Portal

** Any Patch Day Security Note released after the second Tuesday, will be accounted  for in the following SAP Security Patch Day.

To know more about the security researchers and research companies who have contributed for security patches of this month visit SAP Product Security Response Acknowledgement Page

Do write to us atsecure@sap.comwith all your comments and feedback on this blog post.

Yours,

SAP Product Security Response Team

As a global leader in business software, SAP takes customer security seriously and collaborates with external security researchers including research companies in ensuring that vulnerabilities discovered in our software are patched at the earliest. Therefore, SAP hosts a well-defined Security Response Process to enable a responsible disclosure of vulnerabilities in our software and ensure early availability of security patches. This page and the posts indexed therein are maintained by the SAP Product Security Response Team – an organization that also manages the monthly SAP Security Patch Day. In addition to making quality security patches available, we are committed to providing the highest levels of transparency in enabling SAP customers secure their business system landscape.

I only know sap note"510007 - Setting up SSL on Application Server ABAP".

If i apply the informations of this note to AS JAVA,

"The built-in defaults for the client-side enables only SSLv3 + TLSv1.0 for SAPCRYPTO 5.5.5pl28+ and CommonCryptoLib 8, corresponding to client-side protocol version flags (128+64) = 192.  It is recommended to request TLS protocol version TLSv1.1 and TLSv1.2 with the flags "Best" and "NO_GAP", because only the latter is future-friendly and is fully compatible with older libraries."

i have to set the following sap profile parameters, like for example:

ssl/ciphersuites = 135:HIGH:MEDIUM:+e3DES

ssl/client_ciphersuites = 198:HIGH:MEDIUM:+e3DES

Unfortunately the AS Java already "requesting version 3.1..."

I suspect that these sap profile parameters don't work for AS JAVA?

Any experiences?

Any ideas?

Thanks in advance,

Matthias

- SAP NW PO 731 SPS12 (AS JAVA only)

- Currently we use CommonCryptoLib (SAPCRYPTOLIB) Version 8.4.37 pl40 (May 12 2015) MT-safe.

- Kernel = 721_EXT 64Bit Patch 300

I want to delete all roles from locked users. Is there a specific transaction for this instead of SU10? In SU10 one has to enter the roles to remove.

SAP has released the monthly critical patch update for November 2015. This patch update closes 23 vulnerabilities in SAP products (15 Patch Day Security Notes and 8 Support Package Security notes), 13 of which are high priority, some of them belong to the SAP HANA security area. The most common vulnerability is Code injection. This month, two critical vulnerabilities found by ERPScan researchers Alexander Polyakov and Mathieu Geli were closed.

Issues that were patched with the help of ERPScan

Below are the details of the SAP vulnerabilities  that were found by ERPScan researchers.

• A Remote termination of running processes vulnerability in SAP Plant Connectivity (CVSS Base Score: 7.1). Update is available in SAP Security Note 2238619. An attacker can use this vulnerability to terminate a process of vulnerable component. During that period, nobody can use this service, this fact negatively influences on business processes, system downtime and, as a result, business reputation.
• Use of Base64 and DES to encrypt passwords in SAP xMII (CVSS Base Score: 2.1). Update is available in SAP Security Note 2240274. Base64 and DES are inherently insecure algorithms. A potential attacker will decrypt a password if he gets access to it.

Why vulnerabilities in SAP xMII and SAP PCo are critical?

The fact that different SAP applications are highly interconnected not only between each other but with manufacturing execution systems, plant floor systems, laboratory information management systems, and others makes them an attractive target for cybercriminals. The vulnerabilities discovered by ERPScan’s researchers affect applications that are a kind of bridge between the industrial and the ERP worlds.

SAP Plant Connection (SAP PCo) is a solution designed to exchange data between an SAP system and the industry-specific data sources of different manufacturers, such as process control systems, plant historian systems, and SPC systems.

SAP xMII, or SAP Manufacturing Integration and Intelligence, provides the direct connection between plant floor and business operating systems. It consists of two components: manufacturing integration and manufacturing intelligence.

Let’s look at how it works. SAP’s Business applications collect data about critical processes via SAP xMII (Manufacturing Integration and Intelligence). SAP xMII systems are connected with SAP PCo systems which exchange information with OPC servers which, in their turn, have a direct access to PLC devices and systems that manage critical processes.

These vulnerabilities can be used as a starting point of sophisticated multi-stage attack aiming to get control over linked systems. For example, an attack that is to be demonstrated at the BlackHat conference allows cybercriminals to gain access to devices that control such processes as Oil and Gas separation, Burner Management, Fiscal Metering, and Tank Management.

The most critical issues closed by SAP Security Notes November 2015

Some of our readers and clients asked us to categorize the most critical SAP vulnerabilities to patch them first. Companies providing SAP Security Assessment, SAP Vulnerability Assessment, or SAP Penetration Testing services can include these vulnerabilities in their checklists. The most critical vulnerabilities of this update can be patched by the following SAP Security Notes:

• 2197100: SAP SCTC_REFRESH_EXPORT_USR_CLNT Function Module has an OS command execution vulnerability (CVSS Base Score: 7.1). An attacker can use this vulnerability to run operating system commands without authorization. Executed commands will run with the same privileges as the service that executes them. The attacker can also access arbitrary files and directories located in the SAP server filesystem including application source code, configuration, and critical system files. It allows obtaining critical technical and business-related information stored in the vulnerable SAP system. Install this SAP Security Note to prevent risks.
• 2221082: SAP WEBCUIF and CRMUIF has a Cross-site request forgery vulnerability (CVSS Base Score: 6.8). An attacker can use a Cross-site request forgery vulnerability to exploit an authenticated user's session by sending a request containing a certain URL and specific parameters. A function will be executed with the authenticated user's rights. To do this, an attacker may use a cross-site scripting vulnerability or he can send a specially crafted link to a victim. Install this SAP Security Note to prevent risks.
• 2001109:SAP Business Intelligence Authentication  has an Information disclosure vulnerability (CVSS Base Score: 6.8). An attacker can use this vulnerability to reveal additional information (system data, debugging information, etc) which will help to learn about a system and to plan other attacks. Install this SAP Security Note to prevent risks.

It is highly recommended to patch all those SAP vulnerabilities to prevent business risks affecting your SAP systems.

SAP has traditionally thanked the security researchers from ERPScan for found vulnerabilities on their acknowledgment page.

Dear all,

we are running an PI AEX (AS Netweaver Java 7.4) and I recently heard about this vulnerability: What Do WebLogic, WebSphere, JBoss, Jenkins, OpenNMS, and Your Application Have in Common? This Vulnerability. |

I did a quick search in the Java Class Loader View from PIs NWA and did not find any Apache Library there. But as I would consider myself far from a J2EE expert I might easily looking in the wrong place.

So my questions are:

1. Do you know if the SAP Netweaver AS Java might be affected
2. How should I check, e.g. where to do that "grep" the above link mentioned

Many thanks and kind regards

Jens