5 Replies Latest reply: Mar 28, 2011 12:54 PM by Frank Buchholz RSS

red rating about 'security notes'

tao pan
Currently Being Moderated

The sap earlywatch alert report said following:

10.1 Security-related SAP Notes

Vulnerabilities exist in this system that can be closed easily. We found relevant security-related SAP HotNews that have not been applied.

Recommendation:

Apply relevant security-related SAP HotNews and Notes. An overview about such notes is published on Service Marketplace at /securitynotes.

To obtain a list of relevant security-related SAP Notes that can be applied easily, run the tool RSECNOTE in transaction ST13. It will provide a detailed list of the vulnerabilities discovered and the corresponding SAP Notes for correction. More security issues may exist.

For more information, refer to SAP Note 888889.

 

I run report RECNOTE and got advice some notes need to install.

I'm worried about user's normal operation would be affected after note installation.for example, some operations was ok before,but fail after note installation.

I wonder to know how those, who face the same red rating about 'security notes' ,deal with it?

thanks in advance.

  • Re: red rating about 'security notes'
    Raguraman C
    Currently Being Moderated

    Hi,

    Can you give some instances that affect your normal operations?

     

    This note or RSECNOTE tool will not affect any normal operations, if at all you have something in place which is not recommended by SAP.

     

    Feel free to revert back.

     

    -=-Ragu

    • Re: red rating about 'security notes'
      tao pan
      Currently Being Moderated

      Can you give some instances that affect your normal operations?

       

      This note or RSECNOTE tool will not affect any normal operations, if at all you have something in place which is not recommended by SAP.

       

      Feel free to revert back.

       

       

      I have no instances to show affecting normal operations. I just afraid that happen.

      The RESCNOTE will not affect affect any normal operations, i agree with that. I'll get a lot of security-related notes from the result of running RECSNOTE. I'm afraid of normal operations would be affected if i apply those security-related notes.

  • Re: red rating about 'security notes'
    Paul Babier
    Currently Being Moderated

    Hello Tao Pan,

     

    Security Notes address known vulnerabilities in SAP systems.

    The Notes recommdend in the EWA for a system should not affect any system function, but address the identified vulnerability.

    Still no matter if the EWA or RSECNOTE are recommending a Security Note, it is always recommended by SAP that the Security Note is reviewed first and the customer makes the final determination as to whether they wish to implement the recommendation or not.

     

    The reason you should not be so concerned is that in normal operations SAP is not using known security vunerabilities, so by fixing them it should not impact a system, only server to harden the security.

     

    Regards,

     

    Paul

    • Re: red rating about 'security notes'
      Sean M
      Currently Being Moderated

      In general I haven't had problems with security notes. But the February set caused several jobs to fail with short dumps. SAP Support has been able to resolve all but one of those so far.

       

      All I'm saying is that it helps to have a non-production Solution Manager system to try them out on first.

       

      Regards,

      Sean

      • Re: red rating about 'security notes'
        Frank Buchholz
        Currently Being Moderated

        >

        Sean M wrote:

         

        > In general I haven't had problems with security notes. But the February set caused several jobs to fail with short dumps. SAP Support has been able to resolve all but one of those so far.

        >

        > All I'm saying is that it helps to have a non-production Solution Manager system to try them out on first.

        >

        > Regards,

        > Sean

         

        Hi Sean,

         

        may I ask you to give some details about the issues (either here of via mail to our team securitycheck AT sap.com )?

        I like to have a closer look to the notes which had produced the issues.

         

        Kind regards

        Frank Buchholz

        SAP Active Global Support - Security Services

Actions