How to Find SAP Security Note from NCICC Vulnerabi...

Former Member · ‎04-18-2014

Hi Community, we receive list of SAP and other vulnerabilities from NCCIC. For example:

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2013-7355

"SQL injection vulnerability in SAP BI Universal Data Integration allows remote attackers to execute arbitrary SQL commands via unspecified vectors, related to the J2EE schema."

How can I find out if a SAP security note is out there for this particular vulnerability and/or if it is relevant for our release?

Thanks!

Former Member · ‎04-21-2014

Start with Patch Day notes https://websmp205.sap-ag.de/securitynotes

and also run RSECNOTE

and to be really sure, open an OSS message and ask SAP.

Not sure if there is a cross-list of nist vulnerabilities to oss notes. Will be interesting to see replies to this question.

Former Member · ‎04-22-2014

Hi,

Click on the link provided by NIST and it takes you to the advisory on the Onapsis website. Register and download the advisory and it includes the note + relevant info (1773651). You won't get spammed. They are a good bunch of guys (and girls).

Former Member · ‎04-22-2014

Just incase: you should only download code sources from SAP via Service Market Place, not via transports or external files.

It is also best to use the SOLMAN system recommendations for SAP related security notes. It includes all of them and not just those of specific researchers.

SAP also offers an optional evaluation service. See SAP Note 1839420. Some notes must just go in... others are better options for upgrades or support packs and have mitigation possibilities.

Cheers,

Julius

Former Member · ‎04-23-2014

Anyone d/l bug fix source code from anywhere other than SAP would deserve everything they got!

How to Find SAP Security Note from NCICC Vulnerability?