layer seven security · pdf filesrm and areas of the netweaver ... 1678581 crm-bf-brf-rm...

SAP Security NotesMay 2012

Layer Seven Security

AD

VIS

OR

Y

There are two startling facts about SAP Security Notes released in May. The first is the sheer number of Notes issued by SAP, 257 to be exact. In comparison, March and April had just 46 and 33, respectively. The second is that almost 90 percent of the Notes were designed to provide greater protection for SAP systems against cross-site scripting attacks (XSS). There are several forms of XSS including stored, targeted at servers, and reflected, usually targeted at the client browser. The SAP patches released in May deal with both types of vulnerabilities.

XSS is the most prevalent Web application security flaw and the most popular attack vector used by hackers. It works through the injection of malicious scripts into input fields used by Web applications. Encryption provides no defense against XSS. It merely encrypts the attack. XSS can be combated through a combination of code reviews (most XSS flaws can be detected by a trained eye) and input/ output validation. For the latter, refer to the OWASP XSS Prevention Guide at www.owasp.org. Vulnerability scanners such as those used by SAPSCAN greatly help with the detection of known XSS flaws in SAP systems. You can learn more about SAPSCAN at http://layersevensecurity.com/sapscan.html.

SAP components are especially vulnerable to XSS since many rely upon Web-based (HTTP) communication. This includes SAP Business Suite software such as CRM and SRM and areas o f the NetWeaver technology platform including the Enterprise Portal. Successful attacks can bypass SAP access controls and compromise the underlying data in such systems.

Before installing the May patches, SAP customers should install the new encoding library introduced in Note 1601461 (refer to Notes 1582870 and 1582867). Customers should also update Business Server Pages (BSP) (Notes 1687915, 1640092 and

SAP Security NotesMay 2012

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet

http://layersevensecurity.com/sapscan.html




1671470) and the Internet Transaction Server ( ITS) (Notes 1488500 and 1621946). For more detailed instructions, follow the SAP checklist available at the SAP Marketplace.

SAP also introduced a critical patch for certain Kernel functions in the month of May. The Kernel lies at the core of SAP systems and contains executable (.exe) files that support the so-called runtime environment. The Kernel is an abstraction layer between SAP systems and the underlying operating system and database layers. It supports the interoperability of SAP systems by enabling SAP to work with almost any enterprise-level OS and DB.

Security Note 1682505 patches a high-risk vulnerability effecting Transport Tools (BC-CTS-TLS) in the Kernel. Transport Tools includes utilities used to control releases and transfer data between SAP systems. This includes programs such as tp and R3trans that are called upon by the Change and Transport System (CTS) and Transport Management System (TMS). Missing authorization checks in this part of the Kernel could enable some users to access sensitive functions through the escalation of privileges.

SAP Security Notes by Vulnerability Type

PRIORITY NOTE AREA DESCRIPTION

1

1

1

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

1682505 BC-CTS-TLS Missing authorization check in KERNEL

1716165 BC-JAS-SEC Update 1 to security note 1651004

1631354 BC-JAS-SEC-UME Update 1 to Security Note 1616058

1715626 BC-BSP Update 1 to security note 1591427

1680413 CRM-BF-TM Unauthorized modification of displayed content in CRM-BF-TM

1680142 CRM-IC-ADR Unauthorized modificat. of displ. content in CRM-IC-ADR

1680716 XAP-MBA-DSD Unauthorized modification of displayed content in MDSD Admin

1684713 IS-M Unauthorized modification in ITS-Services in IS-M

1684640 IS-M Unauthorized modification in BSP applications in IS-M

1684344 CRM-IC-FRW Unauthorized modification of displayed content in IC_BASE

1683913 PP-MES Unauthorized modification in SICF-services in PP-MES

1683397 PPM-PRO Unauthorized modification of displayed content in PPM-PRO

1683291 CA-GTF-SP-GEN Unauthorized modification in CA-GTF-SP-GEN

1682810 SLC-REG Unauthorized use of application functions in SLC-REG

1682611 CRM-IPS-BTX Unauthoried modification in BSP application in CRM-ISP-BTX

1682360 CRM-MKT-SEG-IEX Unauthorized modification of displayed content in CRM_MKTIME

1682054 SRM-SUS Unauthorized modification of displayed content in SRM-SUS

1681906 SRM-EBP-BID Unauthorized modification of displayed content in SRM-EBP

1681887 CRM-BF-CFG Unauthorized modification of displayed content in IPC UI

1677037 CRM-IFS Unauthorized modification of displayed content in CRM-IFS

1676981 EP-PCT-PUR-BP Unauthorized modification in BSP applicat. of EP-PCT-PUR-BP

1676934 SRM-EBP-CA-ATT Malicious modification of SRM attachment url.

1676849 CRM-MD-PRO-OBJ Unauthorized modification of BSP in CRM-MD-PRO-OBJ

Appendix: SAP Security Notes, May 2012


2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

1676848 CRM-IC-OBJ Unauthorized modification of BSP in CRM-IC-OBJ

1676846 CRM-MD-PRO Unauthorized modification of BSP in CRM-MD-PRO

1676754 IS-A-DP-VMS Unauthorized modification of BSP in Webdocuments

1676753 IS-A-DP-SPP Unauthorized modification of BSP in Webdocuments

1676722 IS-A-DP-WTY Unauthorized modification of BSP in Webdocuments

1676678 FS-CD Unauthorized change of contents displayed in agency collctns

1676514 CRM-BTX-PRV-DUI Unauthorized modificat. of displ. content in CRM-BTX-PRV-DUI

1676480 EP-PCT-MGR-CO Unauthorized modification in BSP appl. in EP-PCT-MGR-CO

1676479 CO-OM Unauthorized modification in BSP application in CO-OM

1676473 EP-PCT-SD-S XSS: Source code commented out incorrectly on BSP pages

1676293 SRM-EBP-CAT Unauthorized modification of displayed content in SRM-EBP

1676236 PA-ER Unauthorized modification of stored content in E-Recruiting

1677068 PLM-PPM-PDN Unauthorized modification of displayed content inPLM-PPM-PDN

1679963 CRM-IC-EMS Unauthorized modification in BSP application in CRM-IC-EMS

1679689 SRM-ROS ROS: Unauthorized modification in BSP application

1679401 CRM-MKT-MPL-CA Unauthorized modification in BSP application CRM-MKT-MPL-CA

1679172 CRM-BF-SVY Unauthorized modification in BSP application in CRM-BF-SVY

1679032 CRM-CHM Unauthorized modification of displayed content in CRM-CHM

1678715 CRM-BTX-ACT Unauthorized modification in CRM e-Mail Activity

1678643 FIN-SEM-CPM-BSC Unauthorized modification in BSP application in FIN-SEM-CPM

1678581 CRM-BF-BRF-RM Unauthorized modification in CRM Rule builder(CRM-BF-BRF-RM)

1678243 CA-DMS Unauthorized modification of BSP in Webdocuments (2)

1678055 CRM-IPS-ICM-ACT Unauthorized modification of displayed content in ICM e-mail

1677810 IS-U-WA Unauthorized modification in ITS-Service in IS-U-WA

1677766 PP-KAB Unauthorized modification in ITS-Service in KANBAN

1677486 SCM-APO-CA-COP Unauthorized modification in ITS-Service in SCM-APO-CA-COP

1677475 PA-ER Unauthorized use of application functions in HRRCF_START_EXT

1677413 PPM-PRO Unauthorized modificatn of displayed content in PPM-PRO (1)



2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

1677194 BW-BCT-ISR-AA Unauthorized modif. of stored content in RSBCT_RFASH_ALI

1694075 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(9)








1693480 BC-FES-ITS Unauthorized modification of displayed content in ITS

1693219 CRM-BF-WST Unauthorized modification of content in WS_DESIGN_TOOL

1692352 CRM-MD-BP-CCP Unauthorized modification of the content in CRM-MD-BP-CCP

1698421 CRM-MKT-SEG-TGR Unauthorized modification of displayed content in CRM_MKT

1698889 CA-GTF-PCF Unauthorized modification of displayed content in CA-GTF-PCF

1699074 CRM-IT Unauthorized modification of stored content in CRM_IT_DEALER

1690118 CRM-BTX-BF Unauthorized modification in CRM Business Transactions

1696538 CRM-IC-FRW Unauth. mod. of displayed content in Interaction Center Frw.

1695596 IS-U-CS Unauthorized modification of stored content in IS-UT

1695324 CRM-IC-SCR Unauthorized modification of displayed content in CRM-IC-SCR

1695059 CRM-BF-ML Unauthorized modification of displayed content in CRM Email

1695039 CRM-BF Unauthorized modification of displayed content in CRM_BSP

1694952 CRM-MKT Unauthorized modification of displayed content in CRM-MKT

1697160 SCM-BAS-UIF Unauthorized modification of displayed content in ICH

1694662 BC-CCM-MON-SLG Directory Traversal in SAP System Log

1697723 CRM-IC-ABO Unauthorized modification of displayed content in CCMP_RABOX

1694226 BW-PLA-BPS-WIB Unauthorized execution of application funcs. in BW-PLA-BPS

1694081 PLM-CFO Unauthorized modification of displayed content in PLM-CFO(14




2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2




1690079 BW-BCT-CRM Unauthorized modification in BSP applications in BW-BCT-CRM

1687722 PPM-PRO Unauthorized modification of displayed content in PPM

1687668 PE-LSO-LPO Unauthorized modification in BSP application in PE-LSO-LPO

1687477 CA-GTF-IC-SCR Unauthorized modification in BSP in CA-GTF-IC-SCR 3


1686829 PA-EC-JP Unauth. modification of displayed content in Job Pricing

1686828 PA-EC-BD Unauth. modification of displayed content in Budgeting

1686821 SLC-SUP Unauthorized modification of displayed content in SLC-SUP

1686703 CRM-CIC-CAM Unauthorized modification of content in CRM-CLM applications

1686627 PPM-PFM Unauthorized modification on document url in PPM

1686573 CRM-CIC Unauthorized modification of content in CRM-CIC applications

1686234 PA-PD-PM Unauthorized modification of stored content in PA-PD-PM

1685251 XX-PROJ-FI-CA Unauthorized modification of BSP in FI-CA

1685062CRM-MKT-MPL-CA-BRE

Unauthorized modification in CRM-MKT-MPL-CA-BRE

1685036 CRM-BTX-GWI Unauthorized modification of stored content in CRM-BTX-GWI

1685003 EPM-BFC-TCL Potential remote code execution in Financial Consolidation

1689963CRM-MKT-MPL-CA-MOD

Unauthorized modification in CRM-MKT-MPL-CA-MOD

1689843CRM-MKT-MPL-CA-BRE

Unauthorized modification in component CRM-MKT-MPL-CA-BRE

1689083 CRM-ANA-SRV-BW Unauthorized modification of disp. content in CRM-ANA-SRV-BW

1689009 EP-PCT-MAN-M Unauthorized modification in BSP application in PlantManager

1688768 CRM-IC-ABO Unauthorized modification of content in CRM_CIC_RABOX

1699418 BC-BSP Unauthorized modification of displayed content in BSP

1688660 BW-BCT-EPM Unauthorized modification of stored content in BI_CONT

1700195 BW-BCT-PSM Unauthorized modification of displayed content in BW-BCT-PSM



2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

1700620 FIN-SEM-CPM Unauthorized modification of displayed content in FIN-SEMCPM

1688518 FS-BA-TO-ME code injection vulnerability in module editor

1701662 CA-SUR Unauthorized modification of displ content in Web Request

1688421 BC-SEC-SSF Unauthorized modification of displayed content in BSP apps.

1702304 PA-EC-BD Unauthorized modification displayed content ECM_BSP_LIBRAY

1687962 CRM-BTX-ACT Unauthorized modification of displayed content in Calendar

1687910 BC-ABA-SC Potential denial of service in DIAG Processor

1676211 CA-GTF-IC-BRO Unauthorized modification in BSP in CA-GTF-IC-BRO

1658759 BW-BEX-ET-WEB Directory traversal with unauthorized modification in BW

1657275 FI-FM Missing authorization check in FI-FM

1657210 CRM-ISE-SRE Unauthorized mod. of displayed content in Web.Req. toolbox

1656918 CRM-ISE-WBF Unauthorized mod. of displayed content in UAD_xx

1656658 BC-DWB-WD-ABA Unauthorized modification of displayed content in Web Dynpro

1655538 PA-PA-JP Unauthorized modification in ITS-Service

1655428 PA-PA-KR Unauthorized Modification in ITS-Service in PA-PA-KR

1655298 BC-FES-GUI Generic low level functionality in SAP GUI

1654574 CRM-BTX-ERP Unauthorized modification of content in configuration

1654492 CRM-BTX-BF-ATP Unauthorized modification of content in gATP pop-up

1653474 BC-WD-JAV Unauthorized Modification of Displayed Content in Web Dynpro

1653473 EP-PDK-HBJ Unauthorized Modification of Displayed Content in HTMLB

1653127 CRM-BF-WFI Unauthorized modification in SICF-service in CRM-BF-WFI

1652708 CRM-BTX-ERP Unauthorized modification of content in ERP print preview

1652707 CRM-BF-ACI Unauthorized modification of content in order print preview

1650819 SLL-LEG-CUS Cross-Site-Scripting (XSS) in GTS Dashboard possible

1658926 CRM-BF-COM Unauthorized modification of displayed content in CRM CM

1661838 CA-GTF-PCF Unauthorized modification of stored content in CA-GTF-PCF


1661698 BW-BEX-ET Unauthorized modification of displayed content in BW-BEX-ET



2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

1661568 SRM-SUS Unauthorized modification in BSP application/SICF Service

1661411 FI-TV-PL Unauthorized modification of displayed content in FI-TV-PL


1661016 CRM-MKT-DAM Unauthorized modification of BSP in CRM-MKT-DAM



1660718 IS-M-AMC Cross site scripting vulnerability in BSP pages for AMC

1660428 BC-SRV-RM Unauthorized modification of stored content in BC-SRV-RM

1660337 SRM-EBP-CON Unauthorized modification of stored content in SRM-EBP-CON

1659640 PA-PA-CN Security: XSS vulnerability in SAP GUI for HTML

1659560 CRM-ISE-WBF Unauthorized mod. of displayed content in CRM-ISE-WBF


1659045 CRM-BF-ML Unauthorized modification of displayed content in CRM EMAIL

1659015 CA-EPT-ANL-LST URL in Launchpad-Navigation can be malformed

1610923 BC-SRV-SSF Unauth. modification of displayed content in BC-SRV-SSF

1610668 BC-SRV-GBT-ALM Unauthorized modif. of displayed content in BC-SRV-GBT-ALM

1610237 CRM-ANA-PS Unauthorized modification of displayed content in BW-CRM

1609808 BC-SRV-KPR-RET Unauthorized modification of displayed content in BC-SRV-KPR

1609546 BC-SRV-RM Unauthorized modification of stored content in BC-SRV-RM

1609289 BC-MOB-MI Unauthorized modification of displayed content in BC-MOB-MI

1608934 BC-DOC-TER Potential loss of integrity in web app Terminology Tools

1608651 PA-PD-PM Unauthorized modification of stored content in PA-PD-PM

1600317 BC-BSP Unauthorized modification of displayed content in BSP

1597489 SCM-EWM-RF Unauthorized use of application functions in SCM-EWM-RF

1597066 BW-BEX-OT-MDX MDX: SOAP / XMLA interface and Document Type Definitions

1590866 BC-MOB-MI Unauthorized modification of displayed content in BC-MOB-MI

1590341 BC-MID-ICF Unauth. modification of displayed content in ICF Recorder

1589215 IS-CC Potential modification of persisted data in SAP CC



2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

1565781 EP-PCT-PUR-BP Buyer: Sec. note for cross-site scripting & BSP applications

1341333 BC-DB-SDB Potential info. disclosure and code execution in sapdbctrl

1612819 CA-GTF-TS-WSI Unauthorized modification of stored content in CA-GTF-TS-WSI

1649117 BC-WD-ABA Unauthorized modification of displayed content in WebDynpro

1644876 FS-CD Unauthorized modification of displayed content agency coll.

1638718 BC-BSP XSS vulnerability in BSP system

1637338 BC-WD-UR Unauthorized modification of displayed content in UR


1629474 BC-BSP Unauthorized modification of displayed content in BSP pages

1628849 CA-WUI-UI-TAG Unauthorized modification of stored content in WEBCUIF

1626152 CRM-ISA Potential runtime problems after manipulation of isa_relogin

1624142 BC-SRV-ARL Unauthorized modification of stored content in BC-SRV-ARL

1615941 EP-PIN Portal XSS Encoding Library - StringUtils

1615019 BI-BIP-CMC Unauthorized modification of displayed content in BOE

1614834BC-ESI-WS-ABA-CFG

Unauthorized modification of displayed content in UDDIClient

1614750 PLM-CFO Update #2 to Security Notes 1466863

1613163 PLM-CFO Update #2 to Security Notes 1496707

1662272 BI-BIP-OP Potential denial of service in BusinessObjects Enterprise

1675232 CRM-IC-CAM Unauthorized modification in BSP in CRM-IC-CAM

1675220 FI-AP Obsolete ITS services in FI-AR/AP

1675153 BW-BCT-PLA-RAP Unauthorized modification of displayed content in BW-BCT-PLA

1674905 SRM-EBP-CA-ATT Malicious modification of displayed SRM attachments

1674902 SLC-SUP SLC: Unauthorized modification in BSP application

1674713 SRM-EBP-BID Unauthorizd modification in ITS services

1674685 SRM-EBP-TEC-ITS Unauthorized modification in ITS-Services in SRM

1674616 CA-WUI-APF Unauthorized modification of content in transaction launcher

1674596 IS-M-AMC Unauthorized modification of displayed content in IS-M-AMC

1674366 CRM-ISE-WBF Unauthorized mod. of displayed content in BSP CRM_PS_SOA



2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

1674219 CO-OM Unauthorized modification in ITS-Services of ISR

1674100 SRM-EBP-PRC Unauthorized modification in ITS-Service in SRM-EBP-PRC

1674027 SRM-CMT Unauthorized modification in ITS-Service in SRM-EBP-CAT

1673853 IS-HER-CM Unauthorized modification in BSP application in IS-HER-CM

1673790 IS-HER-CM Unauthorized modification in BSP application in IS-HER-CM

1673645 SRM-EBP-VE Unauthorized modification of displayed content in VE

1673549 IS-M-AMC Unauthorized modification of displayed content in IS-M-AMC

1675346 FI-AA Obsolete ITS services in FI-AA

1676123 SRM-EBP-INV Unauthorized modification of ITS in SRM-EBP-INV

1676070 PLM-PPM-PDN Unauthorized modification of displayed content PLM-PPM-PDN

1676045 SRM-EBP-APM Unauthorized modification of displayed content in APM

1675884 CRM-IC-EMS-RUL Unauthorized modification in BSP app in CRM-IC-EMS-RUL

1675809 PS-CLM Unauthorized modification in ITS-Service in PS-CLM

1675796 FIN-CGV-MIC Migration to new XSS-Library

1675795 PS-CON Unauthorized modification in ITS-Service in PS

1675775 FIN-SEM-CPM Unauthorized modification of displayed content in SEM-CPM

1675734 SRM-EBP-CAT Unauthorized modification in ITS-Services in BBP

1675605 EP-PIN-RTC Missing authorization check in RTC

1675533 BC-WD-CMP-FPM Missing authorization check in BC-WD-CMP-FPM

1675499 SRM-LA Unauthorized modification of displayed content in SRM-LA

1675484 CRM-IC-FRW Unauthorized modification in BSP in CRM-IC

1675411 CRM-IC-SCR Unauthorized modification in BSP in CRM-IC-SCR

1675396 SRM-EBP-CGS BBP_PM01 ITS service vulnerable to XSS attack

1675374 FI-AA Unauthorized modificatn of displayed content FI-AA (EA-APPL)

1675350 CRM-ANA-MKT-CLV Unauthorized modification in BSP appl. in CRM-ANA-MKT-CLV

1670098 CA-DMS Unauthorized modification of BSP in Webdocuments

1669048 CRM-ANA Unauthorized modification of BSP in CRM-ANA

1668728 SRM-EBP-PD Unauthorized modification of displayed content in SRM



2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

2

1668681 PPM-PFM Unauthorized modification of displayed content in PPM-PFM

1668569 IS-A-SWP Unauthorized modification in ITS-Services in SWP.

1666901 CRM-IC-FCA Unauthorized modification of BSP in CRM-IC-FCA

1665973 SRM-EBP-WFL Unauthorized modificat. of displayed content in SRM-EBP-WFL

1665930 FIN-BA Unauthorized modification of displayed content in FIN-BA

1665704 CRM-MD-BP-CCP Unauthorized modification of BSP in CRM-MD-BP-CCP

1665489 SRM-EBP-PRO Unauthorized modification of stored content in SRM-EBP-PRO

1665082 SRM-EBP-CA-SIG Unauthorized modification of BSP in SRM-EBP-CA-SIG

1665004 CRM-IPS-BTX-APL Unauthorized modification of BSPs in CRM Grantor Management

1664632 QM Unauthorized modification of ITS in QM

1664449 FIN-FSCM-BD Unauthorized modification of displayed content in FSCM BD

1663788 CRM-IU Unauthorized change of displayed content in CRM-IU

1670153 IS-A-SWP Unauthorized modification in ITS-Services in SWP.

1673177 IS-OIL-DS-SSR Unauthorized modification in ITS-Service in IS-OIL-DS-SSR

1673131 IS-ADEC-BOQ Unauthorized modification in ITS-Service in IS-ADEC-BOQ.

1673038 SRM-SUS SUS: Unauthorized modification in BSP application SRMSUS

1672819 PA-PA-SG Security: XSS vulnerability in SAP GUI for HTML

1672743 PPM-PRO Unauthorized modification of displayed content in PPM-PRO

1672695 PA-PA-AU Security: XSS vulnerability in SAP GUI for HTML

1672442 CRM-ANA-BOJ-UI Unauthorized modification of BSP in CRM-ANA-BOJ-UI

1672440 CRM-MKT-ML Unauthorized modification of BSP in CRM-MKT-ML

1672438 CRM-MKT-MPL Unauthorized modification of BSP in CRM-MKT-MPL

1672369CRM-MKT-MPL-TPM-TPO

Unauthorized modification of displayed content in TPO 100

1671695 CRM-MD-BP-PCU Unauthorized modification of BSP in CRM-MD-BP-PCU

1671334 PA-PA-IN Security: XSS vulnerability in SAP GUI for HTML

1671206 BC-SRV-BTF Unauthorized modification of displayed content in BTF-Editor

1671106 CRM-IPS-ICM-CMG Unauthorized modification of displayed content in ICM

1671087 CRM-MKT-MPL-CAL Unauthorized modification of display content in MKT Calendar



2

2

2

2

3

3

3

3

3

3

4

1670438 SRM-EBP-ADM-USR Unauthorized modification of ITS in SRM-EBP-ADM-USR

1670220 IS-HER-CM Unauthorized modification of ITS in IS-HER-CM

1721539 BW-WHM Update 1 to security note 1656265

1723907 PLM-CFO Update 1 to security note 1613163

1655512 EPM-SA Missing Authorization check in OPMFND

1593247 PP-MES Missing authorization check in PP-MES

1642810 SV-SMG-SDD Code injection vulnerability in SV-SMG-SDD

1642179 CRM-MW-MBX HTTP verb tampering issue in Java MapBox

1629676 PE-LSO-LPO Security fix for BSP application HCM_LEARNING

1663799 BC-JAS-ADM-ADM Missing authorization check in NWA

1667388 BC-BMT-BRM-ENG Explicit Scope Declaration issues in BRMS-CORE


Layer Seven Security

Webwww.layersevensecurity.comEmailinfo@layersevensecurity.comTelephone1 888 995 0993

Address Westbury Corporate CentreSuite 1012275 Upper Middle RoadOakville, Ontario L6H 0C3, Canada

Layer Seven Security specialize in SAP security. We serve customers worldwide to protect information assets against internal and external threats and comply with industry and statutory reporting requirements. The company fuses technical expertise with business acumen to deliver unparalleled audit, consulting and vulnerability assessment solutions targeted at managing risks associated with contemporary SAP systems.

Our consultants have an average of ten years of experience in field of SAP security and proficiency in regulatory compliance including Basel II, GLBA, HIPAA, FISMA, PIPEDA, PCI DSS and SOX.

The company is privately owned and headquartered in Toronto, Canada.

http://www.layersevensecurity.com

http://www.layersevensecurity.com

mailto:[email protected]

mailto:[email protected]

© Copyright Layer Seven Security 2012 - All rights reserved.

No portion of this document may be reproduced in whole or in part without the prior written permission of Layer Seven Security.

Layer Seven Security offers no specific guarantee regarding the accuracy or completeness of the information presented, but the professional staff of Layer Seven Security makes every reasonable effort to present the most reliable information available to it and to meet or exceed any applicable industry standards.

This publication contains references to the products of SAP AG. SAP, R/3, xApps, xApp, SAP NetWeaver, Duet, PartnerEdge, ByDesign, SAP Business ByDesign, and other SAP products and services mentioned herein are trademarks or registered trademarks of SAP AG in Germany and in several other countries all over the world. Business Objects and the Business Objects logo, BusinessObjects, Crystal Reports, Crystal Decisions, Web Intelligence, Xcelsius and other Business Objects products and services mentioned herein are trademarks or registered trademarks of Business Objects in the United States and/or other countries.

SAP AG is neither the author nor the publisher of this publication and is not responsible for its content, and SAP Group shall not be liable for errors or omissions with respect to the materials.

layer seven security · pdf filesrm and areas of the netweaver ... 1678581 crm-bf-brf-rm...

Documents