3 weeks ago
hello everyone,
I am new to the community, I need help
we have sap basis 731 is in sp level 34, according to the note it should be upgraded to sp level 36 and that upgrade would disable the SA38 or remove the permission for SA38 in current sp level 34, is that correct?
has anyone of you already applied the correction? what is the option regarding the use of SA38 for sap administrators?
Solution
The correction disables the program execution of SA38 transaction.
Please implement the support package referenced in this SAP Security Note, or implement the respective correction instruction.
If you have further questions, refer to SAP Note 3550790.
Workaround
Please assess the workaround applicability for your SAP landscape prior to implementation.
Note that this workaround is a temporary fix and is not a permanent solution. SAP strongly recommends you apply the corrections outlined in the security note, which can be done in lieu of the workaround or after the workaround is implemented.
Do not grant permission to execute transaction SA38.
Request clarification before answering.
The note 3550790 - FAQ for SAP Security Note 3550708 - Information Disclosure vulnerability in SAP NetWeaver ... is only a Q&A about the note 3550708. Nowhere is said in the note 3550790 that SA38 is disabled. The most important information is that it explains why the security note 3550708 was disclosed: "Using report RSICFCLTST01 credentials can be retrieved".
Now, what contains the referred note 3550708 - [CVE-2025-0066] Information Disclosure vulnerability in SAP NetWeaver AS for ABAP and ABAP...?
So, no worry about SA38, it's still there.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.