cancel
Showing results for 
Search instead for 
Did you mean: 

about vulnerability CVE-2025-0066 in SAP note 3550708

JesúsM
Discoverer
0 Kudos
1,309

hello everyone,
I am new to the community, I need help
we have sap basis 731 is in sp level 34, according to the note it should be upgraded to sp level 36 and that upgrade would disable the SA38 or remove the permission for SA38 in current sp level 34, is that correct?
has anyone of you already applied the correction? what is the option regarding the use of SA38 for sap administrators?

Solution
The correction disables the program execution of SA38 transaction.
Please implement the support package referenced in this SAP Security Note, or implement the respective correction instruction.
If you have further questions, refer to SAP Note 3550790.
Workaround
Please assess the workaround applicability for your SAP landscape prior to implementation.
Note that this workaround is a temporary fix and is not a permanent solution. SAP strongly recommends you apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented.
Do not grant permission to execute transaction SA38.

View Entire Topic
Sandra_Rossi
Active Contributor

The note 3550790 - FAQ for SAP Security Note 3550708 - Information Disclosure vulnerability in SAP NetWeaver ... is only a Q&A about the note 3550708. Nowhere is said in the note 3550790 that SA38 is disabled. The most important information is that it explains why the security note 3550708 was disclosed: "Using report RSICFCLTST01 credentials can be retrieved".

Now, what contains the referred note 3550708 - [CVE-2025-0066] Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP...?

  • It adds the statement "RETURN" at the beginning of the report RSICFCLTST01, which means that if you run the program, nothing happens, credentials cannot be retrieved (by hackers) anymore.

So, no worry about SA38, it's still there.

JesúsM
Discoverer
0 Kudos
Thanks you Sandra