Not at all , Jurgen . I'm just now learning sap module . I don't have such intention to use that intellectual property for malicious function . ..

in SCN's different , question - answer thread , somebody stated that consult with *** OSS note / or refer to OSS note no. ****

I just want to know , apart from entering into SAP service marketplace , there is any other alternative way to explore OSS note ??

Because , I'm a simple learner . I don't have that kind relationship as partner / customer with SAP . So , without it , impossible to achieve a S-id .

that's why I'm asking about any other alternative way .

It is also very important to have version control. Notes are versioned, become obsolete, have subsequent related notes, etc.

They also contain a lot of industry and proprietary information about SAP solutions and services (and problems...).

@ Patel: If you enrole for an official SAP Education Training at SAP, then you get your S-account to display SAP notes with it if you did not have one already (at least it used to be like that and that is how I got my S-account). If you buy your SAP system on a CD disk at a market and get your auntie to explain the customizing and ABAP to you, then you do not have access to SAP notes. Life is hard but fair...  🙂

Cheers,

Julius

SAP=Ghetto----Not getting along with security folks... Other vendors post vulnerabilites and links to fixes. 

Yep, thinking that you are anonymous in the internet brings out the worst in folks.

SAP also posts links to fixes - but you must logon in most cases. In isolated cases they lift the notes further to SCN for access from here. For example "knowledge base" documents.

Also security researchers who responsibly report errors have access to the corresponding notes. Actually we get the solutions in advance mostly to test them.

But just hanging around to pass on SAP notes as security advisories is a waste of everyone's time.

Cheers,

Julius

The vulnerability is available to all CVE-2014-5055. Why not give out version of SAP Crystal report? Everyone else does...it  is not a waste of time (2-5 seconds that it would take)

I agree with you sentimentally, it would be great. But SAP software does not have an install shield. There is also no option in the GUI to "check for updates" with regards to such things.

Even the clients developed by SAP are generally engineered by the customer to meet their requirements. The user should not be able to apply software changes.

That means a lot of testing normally, and a lot of time.

Within the SAP software domain, the industry standard of 90 days grace period for real admins when responsibly reporting vulnerabilities is not realistic for most of the customers, even although the turn around for 0-day hacks is down to single digit hours. In SAP it has probably been known and used for years, they just did not see the problem with it so the changes need to be done carefully.

For example, it is often amusing to see the reaction of folks that you can administrate the database from the application. The same client even as the end users are using to order their pens and pencils and sell products, just different authorizations for a different program within the application.

Anyway, to cut a long story short, without a valid S-account you cannot access SAP notes. SO you need a valid reason to have an S-account. You need to do that - not difficult and necessary.

Cheers,

Julius

I must not be understanding..A vulenrabiltiy has been reported (CVE-2014-5055). Simply stated --> Is in on SAP Crystal Reports 2008 V0 or V1, SAP Crystal Reports 2011. We currently are running licensed and purchased SAP Crystal Reports 2008 V1 on over 100 systems and need to know if our version is vulnerable.   How do I get an S-account, if that is what is needed to get this simple bit of information to protect our highly secure environment?

Me thinks that if you have a highly secure SAP landscape but no access to S-Account, then you are not authorized to implement the server side correction.

A customer basis admin will have access to the correction source and instructions in the SAP note. They will also know what the dependencies are and be able to judge the priority and testing requirements.

Subscription services to advisories without access to SAP notes and no understanding of SAP is not good for customers and system stability.

Cheers,

Julius

therfore,  Everyone's (microsoft.oracle,google,etc) methods of reporting vulnerabilities should be disregarded and they should all follow you......Were talking about providing informative alerts.. not access to patches and downloads.

Yes, if you can see that there is an alert on the SOLMAN Security ConfigVal, then evaluate it. That comes from SAP and can be accessed.

If someone creates their own spam list of advisories, then in the SAP context they should as a minimum requirement have access to SAP Notes. Otherwise it is just noise and incorrectly advises customers.

How come you dont have an S-account?

Cheers,

Julius