SAP cancels the Christmas Holidays this year: December Patch Day

SAP Patch Day: The Notes

Normally I am not much involved in the security area, but this December Patch Day is blowing ordinary limits. 532 security notes have been released by SAP on December 14th:

Luckily, there is an overview Note about this December Patch Day:

https://service.sap.com/sap/support/notes/1533030

Especially the attachment is really helpful to get an overview of the most important security notes: Best_Practice_NW_Note_Impl_V1.pdf

What to do now?

Basically I see three different alternatives how to fix the security holes:

Innovations 2010

The spotlight news suggest one possible solution:

The majority of fixes provided today can also be consumed through a technical upgrade to our new product release, SAP Business Suite 7 Innovations 2010. Only a handful of notes need to be added manually.

Too bad that SAP didn’t list these notes specifically, because it would help a lot if you wouldn’t have to decide yourself which of these 532 security notes are not handled by the Innovations 2010 update. Anyway, I believe only very few SAP customers will consider implementing Innovations 2010 just because of the security fixes.

Support Packages

There is also this other possible solution in the spotlight news:

The fixes will also be included in the Support Packages for SAP NetWeaver (available in December, 2010) and the Support Packages of SAP Business Suite applications (expected in the first quarter of 2011).

So the best way to implement the security fixes should be to apply the latest Support Package Stack. Unfortunately they are currently only available for NetWeaver 7.00 (SPS 23) and NetWeaver 7.01 (SPS 8), for the SAP Business Suite you’ll have to wait until February or even March 2011.

Apart from that you still need to check the security notes to see which ones need to be applied manually, or for which security notes some manual follow-up tasks are required.

Manual Implementation

Now this is where the real fun starts. So far I haven’t read all the notes, even though I am limiting myself to the SAP basis component. What I have understood so far is that simply implementing the notes via SNOTE is NOT enough. Often the code fix only enables a new feature which then needs to be turned on in order to close the security gap. Looks like we need to compile an extensive list containing:

• affected software components (AS ABAP, AS JAVA, middleware, database)
• required SAP kernel patches
• required database patches (e.g. for MaxDB)
• preparation steps (to be done before code fix)
• actual code fixes
• follow-up tasks
• referenced other SAP notes
• last but not least: affected business processes which require testing

My estimation would be that the evaluation of the security notes will require more time than the actual implementation.

Conclusion

I know that every SAP system is unique, so SAP cannot simply compile a complete list for us admins. Nevertheless any help from SAP would surely be greatly appreciated. For example, currently we cannot easily determine which of the SAP security notes are related to the “cross-site scripting” attacks. If you are responsible for various system landscapes, the checks for relevance will consume a lot of time. So this year we got a very special present for our Christmas Holidays.