Skip to Content
Author's profile photo Former Member

SAP cancels the Christmas Holidays this year: December Patch Day

SAP Patch Day: The Notes

Normally I am not much involved in the security area, but this December Patch Day is blowing ordinary limits. 532 security notes have been released by SAP on December 14th:

Priority Notes Basis Notes
1 – Hot News 14 7
2 – High Priority 439 77
3 – Medium Priority 70 29
4 – Low Priority 9 6
6 – Additional Information 10 6

Luckily, there is an overview Note about this December Patch Day:

https://service.sap.com/sap/support/notes/1533030

Especially the attachment is really helpful to get an overview of the most important security notes: Best_Practice_NW_Note_Impl_V1.pdf

What to do now?

Basically I see three different alternatives how to fix the security holes:

Innovations 2010

The spotlight news suggest one possible solution:

The majority of fixes provided today can also be consumed through a technical upgrade to our new product release, SAP Business Suite 7 Innovations 2010. Only a handful of notes need to be added manually.

Too bad that SAP didn’t list these notes specifically, because it would help a lot if you wouldn’t have to decide yourself which of these 532 security notes are not handled by the Innovations 2010 update. Anyway, I believe only very few SAP customers will consider implementing Innovations 2010 just because of the security fixes.

Support Packages

There is also this other possible solution in the spotlight news:

The fixes will also be included in the Support Packages for SAP NetWeaver (available in December, 2010) and the Support Packages of SAP Business Suite applications (expected in the first quarter of 2011).

So the best way to implement the security fixes should be to apply the latest Support Package Stack. Unfortunately they are currently only available for NetWeaver 7.00 (SPS 23) and NetWeaver 7.01 (SPS 8), for the SAP Business Suite you’ll have to wait until February or even March 2011.

Apart from that you still need to check the security notes to see which ones need to be applied manually, or for which security notes some manual follow-up tasks are required.

Manual Implementation

Now this is where the real fun starts. So far I haven’t read all the notes, even though I am limiting myself to the SAP basis component. What I have understood so far is that simply implementing the notes via SNOTE is NOT enough. Often the code fix only enables a new feature which then needs to be turned on in order to close the security gap. Looks like we need to compile an extensive list containing:

  • affected software components (AS ABAP, AS JAVA, middleware, database)
  • required SAP kernel patches
  • required database patches (e.g. for MaxDB)
  • preparation steps (to be done before code fix)
  • actual code fixes
  • follow-up tasks
  • referenced other SAP notes
  • last but not least: affected business processes which require testing

My estimation would be that the evaluation of the security notes will require more time than the actual implementation.

Conclusion

I know that every SAP system is unique, so SAP cannot simply compile a complete list for us admins. Nevertheless any help from SAP would surely be greatly appreciated. For example, currently we cannot easily determine which of the SAP security notes are related to the “cross-site scripting” attacks. If you are responsible for various system landscapes, the checks for relevance will consume a lot of time. So this year we got a very special present for our Christmas Holidays.

Assigned Tags

      6 Comments
      You must be Logged on to comment or reply to a post.
      Author's profile photo Witalij Rudnicki
      Witalij Rudnicki
      ... and thank you for sharing this Patch Day information. I missed it, and the number of notes is just overwhelming.
      Author's profile photo Former Member
      Former Member
      Hasn't this been communicated to the customers weeks or even months ago? If not, that would be very poor in my opinion.

      We are currently working on a critical project at a customer which requires a lot of the capacity of the technical basis guys responsible for the landscape. We planned GoLive for 18th january and it seems that we haven't got any capacity before that date.

      How are we ever gonna handle such an amount os notes?

      Author's profile photo Former Member
      Former Member
      Blog Post Author
      This was the third SAP Security Patch Day, so at least one could expect some security patches to be released. I doubt that anyone outside of SAP was informed in advance about the sheer size of this December patch day.

      The good point might be that now most of the security holes were detected which can be detected by scanning the software. So hopefully, the next SAP Security Patch Days will have a normal extent again.

      IMHO the best way to deal with this amount of notes would be to implement the SPS (or EhP) and then scan the notes for what manual tasks still remain to be done. Multiply these efforts with the number of existing SAP landscapes and you'll get some impressive number.

      Author's profile photo Former Member
      Former Member
      Depending on the system type, I would recommend to apply the Hotnews ones and those with an Automatic = 'X' flag on the service.sap.com/securitynotes page.

      For the remainder, even on 7.01 SP7, SNOTE will request several other dependent notes to be applied when applying just one security note - so going for an SP is about the same effort as doing it manually.

      The notes requiring a "correction instruction" were flagged on the old list in service.sap.com/securitynotes, but unfortunately the new list does not have this column 🙁

      Cheers, Julius

      Author's profile photo Former Member
      Former Member
      i have searched the attachments referenced in both notes 1533030 and 1535142 and was surprised not to find any references to 1473881. maybe, because it's a part of FINBASIS rather than SAP_BASIS?
      Author's profile photo Former Member
      Former Member
      This is because note 1473881 does not have a security tag - which automatically adds it to the list.

      It is a can of worm whether the functionality is still missing authority-checks or the user has excessive authorizations with insufficient skills.

      Had the UI been less user-friendly and the application been in BC-BASIS (like SE16 is, with the same functionality) then probably it would have "survived" for much longer...

      Cheers,
      Julius