Community
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Read only

Please cearify 3421384 Information Disclosure vulnerability in SAP BusinessObjects Web Intelligence

Go to solution
Martin_4
Participant

‎2024 Jul 31 4:42 PM - edited ‎2024 Aug 09 1:07 PM

0 Likes
1,353

intentionaly empty

Labels

Know the answer?

Help others by sharing your knowledge.

Answer

Need more details?

Request clarification before answering.

Show replies
Show replies
Martin_4
Participant
‎2024 Aug 07 2:34 PM
0 Likes

Suma Sum:

What is the  Excel Data Access Service for ?
In short:
-it enables You only to build a Webi on top of an Excel, loaded into the BO Content.
-it has no impact on downloading, exporting excels (or PDFs) with data from a BO Applications
-it has no impact on Webi Applcations on top of Excel, loaded into the BO Content, already build,
these still work with or without Excel Data Access Service

How to check Excel Data Access Service functionality
and / or build a BO Server without  Excel Data Access Service ?
-Logged in with SAP or Enterprise Authentification

A) Build a Test Case 
-upload an Excel to the BO Content Server,
-build a Webi Application on top of it and execute it,
-if You dont have an error while building, You have a Excel Data Access Service in one of the BO Servers,
-generating a Webi or a Lumira and exporting the results  to Excel or PDF is working

B)Find the BO Server with the Data Access Service "switched" on:
-Go to through all Your servers, an check the Common Services for Excel Data Access Service
For example: Adaptive Processing Server, M...14.APS.WebI,

C) Set up a BO server without ExcelData Access Service to see whats working not
-its in BO technically not possible to delete or remove an Excel Data Access Service in an existing BO Server,
-its also in BO technically not possible to delete or remove an Excel Data Access Service in a Clone of an  existing BO Server,
-you must make a new BO Server without of the Excel Data Access Service and than
 shutdown the existing BO Server (with the  Excel Data Access Service) (and best mark it as inactive).

D) Test You Excel BO Content based webi again
-with the (all) Excel Data Access Service not beeing active in a BO Server its not more possible to
build a Webi Application (or other) on top of an Excel loaded into the BO Content,
-Webi Creates an Error: Fehler im Server. Interner Fehler beim Aufruf von 'processDPCommandsEx' API. (Fehler: ERR_WIS_30270)

 -existing Webis, based on Excel in the BO Conetnt still run
-export of Excel in any BO Application still works

What does this mean for the 3421384 if You build a BO Server without of the Excel Data Access Service :
-Existing Webis on base of an Excel can still be used
-Export of an Webi Application to PDF or Excel is still possible
-You might face risks according to 3421384 in Your existing BO Content Excels
(what means these may contain code to read out the BO Server)
 
 
Martin_4_0-1723037840282.png
Martin_4_1-1723037840283.png

 

Replies (0)

Accepted Solutions (1)

Accepted Solutions (1)

Martin_4
Participant
‎2024 Aug 07 2:24 PM
0 Likes

intentionaly empty

 

Show replies
Show replies
mauricio_bernardo
Product and Topic Expert
Product and Topic Expert
‎2024 Sep 02 11:30 PM
0 Likes
Hi Martin, I work as the SAP Support Enginner for SAP BI, and regarding your question, I ensure you to implement the fix as described in the note. If you choose to remove Excel services from the Adaptive Processing Servers (APSs) within the CMC > services section, you'll eliminate the vulnerability but also lose the associated functionality. To remove the service, stop each APS and edit the common services to remove the specified one. In a distributed system, ensure you check all APSs.

Answers (2)

Answers (2)

BasicTek
Product and Topic Expert
Product and Topic Expert
‎2024 Aug 07 2:48 PM
0 Likes

It's used for webi reports that are based of Excel as a data source vs SQL, BW, Oracle, etc

 

https://launchpad.support.sap.com/#/notes/1709797

Show replies
Show replies
Martin_4
Participant
‎2024 Aug 07 3:34 PM
0 Likes

Intentionaly empty

BasicTek
Product and Topic Expert
Product and Topic Expert
‎2024 Aug 01 7:40 PM
0 Likes

You are better off applying the fix as the note states, If you remove the Excel services from the APS(s) in the CMC > services > every Adaptive Processing Server that is hosting the service, then you will lose the functionality but no longer be vulnerable.

To remove the APS(s) must be stopped and edit the common services and remove the one specified. Make sure to check all APS(S) if you have a distributed system.

Show replies
Show replies
Martin_4
Participant
‎2024 Aug 01 7:56 PM
0 Likes

intentionaly empty

Ask a Question