Application Development Discussions
Join the discussions or start your own on all things application development, including tools and APIs, programming models, and keeping your skills sharp.
cancel
Showing results for 
Search instead for 
Did you mean: 

Apply SAP Security Notes to all components?

0 Kudos
320

Dear Forum,

Is it possible to take advantage of exploits in installed components although theyre not in use? I mean, when patching SAP Security Notes, does it make sence to patch components which are installed but not in use?

Rough example:

We have a system with 10 components (according to SPAM status) only 7 of these modules are actively used. Should all 10 receive applicable SAP Security Notes, or would it be enough to patch the ones in use?

I hope someone is able to elaborate on this

Thanks in advance guys,

Kind Regards,

Soren

1 ACCEPTED SOLUTION

mvoros
Active Contributor
0 Kudos
238

Hi,

I would say yes. The problem is that a malicious user can still try to exploit vulnerability in non used module. For example a power user (e.g. developer) with access to wider range of transactions can try to exploit issue and escalate his privileges.

Cheers

4 REPLIES 4

mvoros
Active Contributor
0 Kudos
239

Hi,

I would say yes. The problem is that a malicious user can still try to exploit vulnerability in non used module. For example a power user (e.g. developer) with access to wider range of transactions can try to exploit issue and escalate his privileges.

Cheers

0 Kudos
238

Hi Martin,

First off, thanks for your input!

I had a suspicion this was possible. If you (or anyone else) has an example (not with deep detail ofcourse, we dont want to encourage anyone to test it..) or a scenario where this would be possible let me know. I need more ammo for my arguments, hence I want to patch everything, but I also need something to back up my theory. So an example would be awesome

Thanks

Kind Regards,

Soren

mvoros
Active Contributor
0 Kudos
238

HI,

for example reading a file. Let's say there is a bug in a program which allows malicious user to read any file on the application server. Obviously, you want to patch this even that program is not used by normal users. Another example is missing authorization checks for table view. You can have assigned proper authorizations for S_TABU_DIS but if a malicious user can trick a program without authorization check to display data from any table then you have a problem. A real example could be an issues fixed in note 1558740. Even if you don't use IS-U those FMs are still in your system.

Don't forget that it's good to have multiple layers of protection. So you keep authorizations tight but still you patch all security issues.

Cheers

0 Kudos
238

Hi Martin,

Thanks for the examples, now I am not in doubt that we neet to add security notes / patches to all installed components altho not in use.

Have a nice day

Kind Regards,

Soren