Skip to Content

1. Where do I find SAP Security Notes?
2. Where do I find an overview about security services including the management of security notes?
3. Where do I find information about the application “System Recommendations”?
4. Where do I find information about the application “Configuration Validation”? 
5. There are so many security notes which are relevant for my systems. How should I start implementing them?
6. What is the difference between the various lists of security notes?
7. There are quite different security notes. How should I start classify them to optimize the implementation process?
8. What are the main steps which should be covered by a monthly security patch process?
9. I’m responsible for many ABAP based systems. How can I create a cross-system report on the results of the EarlyWatch Alert check shown by the tool RSECNOTE?
10. I’m responsible for many systems (ABAP and non-ABAP). How can I create a cross-system report on the results of the application System Recommendation?
11. Do I have to implement security notes for all components which are installed in a system even if I do not use any function from a component, e.g. FI notes in an HR system?
12. How to test the implementation of security notes?
13. How to find prerequisite notes which will be implemented prior to the implementation of a ABAP security note?
14. What should I do if I run into trouble while implementing a security note?
15. Can I use the same transport containing security note corrections for all systems?
16. Can I automatically implement security notes using the application System Recommendation? Is there any remote-implementation function within System Recommendations?
17. The security note forces me to modify repository objects manually (dictionary object, programs, messages, etc.) but this requires developer skills, a registration key and produces some trouble during the next support package upgrade. What should I do?
18. The page SMP at /securitynotes and the application System Recommendations show a different (earlier) date for notes that the report RSECNOTE. What is the meaning of these different dates?
19. Do I need special handling of “Update Security Notes”?
20. Do I need special handling to find security related SAP notes concerning the database (or other areas which are not directly related to ABAP or Java)?
21. How do I use the Note Assistant, transaction SNOTE, efficently?
22. What should I do if RSECNOTE shows more notes than the application System Recommendation for a specific system?
23. What should I do if I cannot download a note into SNOTE?
24. How should I deal with security notes during a release or support package upgrade?
25. Security notes of software component ST-PI do not seem to show up in System Recommendations. How can I find them?
26. What ist the future of the EWA Security Notes Subchapter?
27. Tips for filtering within System Recommendations in SolMan 7.1
28. SysRec requires an RFC destination to download notes to SNOTE
29. What is the difference between Patch Day Notes and Support Package Implementation Notes?
30. Required authorizations to use System Recommendations
31 a. How to send e-mails with results of System Recommendations via BW Broadcasting on SolMan 7.2
31 b. How to send e-mails with results of System Recommendations via reports on SolMan 7.2
32. How to download latest Java patches using System Recommendation
33. How to optimize results of System Recommendations about Kernel notes
34. How to run cross-system reporting on System Recommendations results on SolMan 7.1
35. System Recommendations does not show any usage procedure data (UPL)
36. How can I get additional information about recent security notes?
37. How to transport note implementation status for SNOTE for notes which cannot be implemented via SNOTE?
38. System Recommendations in SAP Solution Manager 7.2
39. SAP Note Enhancer: Syntax highlighing of ABAP Code Instructions
40. The 18-Month-Rule
41. When should I check for new Security Notes?
42. How-to find Security notes for Web Dispatchers?


Do not use RSECNOTE anymore – its content is outdated and incomplete – use System Recommendations!

 

1. Where do I find SAP Security Notes?

Landing Page SAP Security Notes

https://support.sap.com/securitynotes
→  Access Security Notes in the SAP ONE Launchpad
https://launchpad.support.sap.com/#/securitynotes
[This a filtered list of Security Notes.]
→  All SAP Security Notes
[This is the complete list of all Security Notes.]

 

These pages show security notes published by SAP. To find security notes about other components like the operation system, network or the database you should scan other sources like NIST, too.

On the Landing Page you can find another FAQ showing additional aspects on security notes.

2. Where do I find an overview about security services including the management of security notes?

A presentation about Security Patch Processes is available at the

Landing Page SAP Security Optimization Services Portfolio

https://support.sap.com/sos

→ “AGS Security Services – Security Patch Process” (Adobe PDF)

You can access the file via the Media Library as well. There you find the (old) documents “Arbeitspapier SAP Security Patch Day” (German) or “Working Paper SAP Security Patch Day” (English), too.

3. Where do I find information about the application “System Recommendations”?

Landing Page System Recommendations

https://support.sap.com/sysrec

 

4. Where do I find information about the application “Configuration Validation”? 

Overview
see http://wiki.sdn.sap.com/wiki/display/TechOps/ConfVal_Home

Reporting the results of System Recommendations using Configuration Validation
see http://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Reporting_SysRec

How to use System Recommendations and Online Recommendations to create target systems containing SAP security notes
see http://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Target_SysRec_OnlineRec


5. There are so many security notes which are relevant for my systems. How should I start implementing them?

Start with the very high and high priority notes shown by the application “System Recommendations”. You may concentrate first on notes having automatic correction instructions for the Note Asisstent, transaction SNOTE, only but no othe manual instructions.

6. What is the difference between the various lists of security notes?

All security notes are published on the Support Portal. Different applications show different selections of security notes.

  • The page /securitynotes in the SAP ONE Launchpad shows notes according to the defined filter. We recommend to use this option only if your systems are registered in the Service Marketplace to get an automatic filter. The filter does not consider if a note is already applied in the system.
  • The complete list of all SAP security notes is shown on the page /securitynotes → All SAP Security Notes in the SAP One Launchpad. Here you find all security notes for all SAP products, including ABAP, Java, TREX, HANA, SYBASE, SAPGUI, etc.
  • The application System Recommendations in the SAP Solution Managers shows these security notes which are relevant for a given system according to the installed software components, release, support package and patch level and if the note if already installed using the ABAP Note Assistant. You could produce a result for all systems which are registered in the SDN/LMDB of the SAP Solution Manager.

7. There are quite different security notes. How should I start classify them to optimize the implementation process?

We suggest that you classify the notes into following groups each building a separate work list for implementing security notes. Do not forget the 4th group.

  1. Implementation as part of a monthly standard patch process
    e.g. for ABAP Correction Instructions or ABAP software-like manual corrections
  2. Implementation as part of a project
    e.g. for notes about other components or other manual instructions
  3. Implementation as part of maintenance activities
    e.g. Support Package upgrade, Kernel upgrade, Java upgrade
  4. Implementation after maintenance activities
    e.g. manual instructions which require a Support Package upgrade or Kernel upgrade as a prerequisite

8. What are the main steps which should be covered by a monthly security patch process?

We suggest to run following steps as part of a monthly security patch process:

  • At the end of the SAP Security Parch Day you can inspect the updated list of Security Notes on the page /securitynotes in the Launchpad respective Service Marketplace. Here you see the complete list of all Security Notes.
  • Use the application System Recommendations to check which of the Security Notes are relevant for the various systems of your system landscape. (Usually you have scheduled the check as a weekly background job.) You can create change requests directly from that tool.
  • Whichever source of information you use (we propose to use all of them), you will run a Risk Assessment concerning the criticality of the Security Note as well as concerning the risk of applying a  change which might touch productively used business processes. As a result you decide which Security Notes should be applied as part of a monthly patch cycle and which will be part of the next maintenance cycle.
  • Using the application Configuration Validation you can create a report which checks which systems comply with your security policy. Therefore you add all notes which should be installed into the target system definition of the Configuration Validation.
  • Within the current month you apply the selected Security Notes and you run regression tests (if necessary) to ensure productively used business processes are working properly.
  • As part of the next maintenance cycle you will update the Kernel, apply Java Patches and ABAP Support Packages. As part of this update you will get the corrections of the Security Notes, too. However, some of the Security Notes describe configuration changes which you can apply now as well. While working on the update it might be the case that you will get new Security Notes from newer Patch Days. You should include these if possible. Finally you run a complete test of your business processes.

9. deleted

 

10. I’m responsible for many systems (ABAP and non-ABAP). How can I create a cross-system report on the results of the application System Recommendation?

There are several options to produce a cross-system report:

  • Export the list shown by the application System Recommendations to Excel and combine the results from different systems. There are two different file formats for Excel: a) Using the Application Component View or the Software Component View and b) using the List View.
  • Use the code-exchange report ZSYSREC_NOTELIST to produce a cross-system report. This reports simply shows the already existing results of System Recommendations on a list. See Blog Report ZSYSREC_NOTELIST – Show results of System Recommendation
    and offers a cross-system option to maintain the System Recommendation status.
  • As of SAP Solution Manager 7.10 SP 3 you can use the built-in BW reporting capabilities of the application System Recommendations
  • The SAP Solution Manager 7.2 shows a cross-system view on relevant Security Notes.

11. Do I have to implement security notes for all components which are installed in a system even if I do not use any function from a component, e.g. FI notes in an HR system?

Yes, if a software component exist in a system than it has to be fixed even if you do not use the function. The reason for this is simple: An attacker might be able to misuse the security vulnerability. Well, in case of unused components you can implement the note using reduced tests as you only need to test productively used business processes.

There exist an exception: Often you cannot implement notes for switched components like industry add-ons if the switch is not active. Omit such notes it they fail in transaction SNOTE. Usually you find a hint in the note describing that a switched component gets patched. Use transactions SFW3 and SFW5 to verify the status of switches.

Here’s the list of software components having candidates of such notes:
ECC-DIMP
FI-CA
FI-CAX
INSURANCE
IS-CWM
IS-H
IS-M
IS-OIL
IS-PS-CA
IS-UT

 

12. How to test the implementation of security notes?

You do not need to test if the security vulnerability is solved – this is the task of SAP – however, you should test if your productively used business processes are still working. Here are some (insufficient) tips:

  • Some notes describe that obsolete but critical functions get deactivated. In such a case you can implement the correction directly
  • Some notes describe corrections about authorization checks. Have a close look to the correction instruction to identify the authorization object to decide if you have to run tests for users who should have or not should have authorizations for this authorization object.
  • Have a close look to the correction instruction to identify the report, program, function etc. which gets touched by the correction.
  • As of SAP Solution Manager 7.10 SP 5 you can use the integration between the application System Recommendations and the Bussiness Process Change Analyzer (BPCA) to identify business process steps which might be affected by a note.
  • If the implementation of the security patch is part of a Kernel update, or of a  Java patch or ABAP Support Package maintenance activity, than you do not need special test procedures because of the security patch as you are going to test anything anyway.
  • For ABAP notes containing automatic ABAP correction instructions you have the additional option for individual implementation which might lead to an individual test.
  • As the text of the note usually does not contain anything about the business risk of implementing the note or about recommended test procedures, it’s up to you to prepare required tests.

Further recommendations to analyse the business risk of implementing security notes:

1. Have a look to the application component.

  • Does it belong to the basis, a framework used by applications or an application itself?
  • Do you use this application productively in business or only by basis team or not at all?

2. It’s very valuable to have a close look to the automatic ABAP correction instruction because here you see what get changed:

  • Which objects get touched (you can get this information in the System Recommendations tool as well)?
  • Is it a small or a large change?
  • Is it just about deactivation of obsolete but critical code of the whole function or a part of it?
  • Are there any new authority checks (-> note the authorization object) or calls to function FILE_VALIDATE_NAME (-> note the logical file name)?
  • Is the change related to the normal flow of the program or is it about exceptional cases?

3. Run a test implementation using the Note Assistant, transaction SNOTE, to get the list of truly required prerequisite notes (but do not apply the note yet).

  • Do you have to apply prerequisite notes (which might contain other functional changes)?

Best practice reported by customers:

1. Reduce or omit testing if

  • the change is related to applications which you do not use
  • the change just deactivates obsolete but critical code
  • the change is very small, has no prerequisites and does not touch the normal flow of the program
  • the change may hurt basis team only but does not have any influence to business
  • has no manual steps

2. Increase analysis and testing effort if item 1. does not match mainly because

  • the change is complex, has prerequisites or manual steps
  • touches the normal program flow of used  business functions within applications which are important for business
  • anything else

13. How to find prerequisite notes which will be implemented prior to the implementation of a ABAP security note?

You have to start the process of implementing a note using the SAP Note Assistant to get detailed information about prerequisite notes. Have a close look to these prerequisite notes to find additional manual correction instructions which are mandatory.

 

14. What should I do if I run into trouble while implementing a security note?

Please create a support ticket on the component of the note.

 

15. Can I use the same transport containing security note corrections for all systems?

No, you have to implement every security note independently in every DEV-TST-PRD transport landscape.

 

16. Can I automatically implement security notes using the application System Recommendation? Is there any remote-implementation function within System Recommendations?

No, you have to implement every security note manually in every DEV-TST-PRD transport landscape. If you are responsible for many DEV systems than you have to implement notes several times.

As of SolMan 7.1 SP 5 you can ease the first step of the implementation, as it’s now possible to select notes in System Recommendations and download them automatically into the Note Assisant of a DEV system.

17. The security note forces me to modify repository objects manually (dictionary object, programs, messages, etc.) but this requires developer skills, a registration key and produces some trouble during the next support package upgrade. What should I do?

[I’ve no good answer yet. At least I always would omit the modification of messages – than you would get just the message number but not a text, however, I believe that’s better than modifying repository objects.]

 

18. deleted

 

19. Do I need special handling of “Update Security Notes”?

Update notes describe or contain extensions or corrections on original notes. Depending on the type of the note you can optimize the handling of these notes – especially if you are using the application System Recommendations as these tools automatically consider changed original notes:

  • If the update note describes that an original note was extended or updated you can ignore the update note as the application System Recommendations will show the original note again.
    Usually such update notes are marked as “SP independant” in the application System Recommendations. Switch to the software component view to see this classification.
  • If the update note contains the extension or correction, well, than you can treat such an update note as any other note: implement it according to your security patch policy. System Recommendations will show the note as “SP specific” if it’s relevant for the system.

20. Do I need special handling to find security related SAP notes concerning the database (or other areas which are not directly related to ABAP or Java)?

Most security related notes about databases (except for HANA) are not classified as “Security Notes”.

You have to find such security related notes via other channels.

Let’s have a look to an example: If you search at https://support.sap.com/notes for notes containing the term “CVE” within the application component BC-DB-ORA, than you’ll find some security related notes for the database (1753297, 1714255, 1714667) which are not SAP Security Notes listed at https://support.sap.com/securitynotes. Using the search term “security” you find more notes, e.g. 1710997, 157499, showing important information about security aspects of the database. Therefore you should keep on looking at https://support.sap.com/notes and you should not forget to scan other sources like NIST to find security notes about the the operating system, network components or the database etc.

Central notes for Oracle:

  • Note 1868094 – Overview: Oracle Security SAP Notes (updated on 03.12.2013)
    This note lists ~60 security related notes
  • Note 850306 – Critical Patch Update Program (updated on 25.11.2014)
    This note lists ~30 critical patch notes

Other sources about secure configuration of Oracle databases:

21. How do I use the Note Assistant, transaction SNOTE, efficently?

Preparation:

Get the latest version of the Note Assistant (see http://support.sap.com/note-assistant ) and watch out for correction notes about the Note Assistant which belong to the application component BC-UPG-NA.

Tipp:You can use the application System Recommendations to search for correction notes of this component as well.

1. Step: Create Worklist

Use the application System Recommendations to produce the worklist, e.g. using the user-status filter and the export-to-Excel feature. Finally put a list of notes into the clipboard.

2. Step: Download Notes

Call transaction SNOTE -> Download SAP Note (Ctrl+F8) or submit report SCWN_NOTE_DOWNLOAD
→ Multiple Selection
→ Upload from Clipboard (Shift+F12)
Go back and start the download

3. Step: Install Notes

Call transaction SNOTE -> SAP Note Browser (Ctrl+F9) or submit report SCWN_NOTE_BROWSER
→ Multiple Selection
→ Upload from Clipboard (Shift+F12)
Go back and save the selection as a report variant
Start the implementation

 

22. deleted

 

23. What should I do if I cannot download a note into SNOTE?

Sometimes you run into trouble while downloading large notes in transaction SNOTE, like for the security note 1826162 from July 2013. (In addition this note requires another large note 1674132, too.)

In such a case use the download basket to get the note:

  1. Show the note on SMP, e.g. https://service.sap.com/sap/support/notes/1826162
  2. Use the button “Download Corrections”. You get a new window showing a log.
  3. Repeat 1. and 2. for more notes, e.g. note 1826162 requires other note 1674132
  4. Use the button “Download Basket” on the log window to show your basket
  5. Click on every link for the selected notes to download the file via the internet browser (You could try to use the SAP Download Manager, however, this might not work as it uses the same interface like SNOTE.)
  6. Un-zip the archive files which you have downloaded
  7. In transaction SNOTE use the menu path Goto->Upload note to load the note(s) one by one – or use report ZSCWN_NOTES_UPLOAD to load multiple note files
  8. Implement the note as usual

Another advantage is, that you can use the same files for uploading notes into several development systems without downloading them again and again.

24. How should I deal with security notes during a release or support package upgrade?

As part of any upgrade you should get information about required Security Notes.

SAP recommends to use

running the technical release or support package upgrade to get the list of required security notes.

In general I do not recommend to select notes by date because even old notes can be relevant. (Use a selection for the date only if you want to see new notes e.g. of the most recent patch day.)

However, you will see following typical result using the list view in System Recommendations after implementing the latest support package (which is some weeks or even month old concerning SAP development closing):

a) There are few new security notes having automatic correction instructions

b) There are one hundred ore more old security notes without automatic correction instructions which still show up in System Recommendations.
Obviously you should implement notes of group a) at once as it’s much cheaper to include them as long as you haven’t started application testing than implementing them later.

Notes of group b) are more difficult: First you have to decide if they are in fact still relevant – it might be the case that this is not the case any more but System Recommendations simply cannot judge about this. Therefore I would agree if you work through this list from new to old skipping the very old ones.

25. Security notes of software component ST-PI do not seem to show up in System Recommendations. How can I find them?

The application System Recommendations checks all notes if they are relevant for a technical system which is registered to the SAP Solution Manager(*). However, the tool relies on the completeness of meta data within the notes (validity rages of the note, assigned support packages, validity of correction instructions).

Notes about software component ST-PI tend to have incomplete meta data (because of some limitations in the correction workbench used at SAP) but describe the complete validity range in the text – which cannot be interpreted by System Recommendations. Example: “Apply Support Package ST-PI 2008_1_* SP08.” The “*” indicates that all releases are affected.

To cover such notes you should inspect the page https://support.sap.com/securitynotes and search for notes of application component SV-SMG-SDD (which is related to software component ST-PI). Currectly, November 2013, you would find 17 notes this way.

(*) This means as well, that security notes which refer to software which is not part of a technical system cannot be shown by System Recommendations (SAPGUI, database, …).

 

26. deleted

 

27. Tips for filtering within System Recommendations in SolMan 7.1

Before being able to use the filter you need to switch it on. See the Filter button on the far right of the table.

(By the way: Using the Setting button you can change the layout of columns, choose sorting and filtering etc. and you can store these settings.)

The filter for notes requires leading zeros, but it’s easier to use a pattern: *1234

The filter for priorities requires always a condition to cover trailing spaces:

HotNews: 1*
High: 2*
HotNews and High: 1*;2* or <3
Medium and Low: 3*;4* or >3 (yes, that’s correct as there are trailing spaces)

The filters for automatic and manual correction instructions use X respective ‘ ‘ (space)

Use a pattern to filter Release Independent Notes: e.g. *indep* (the default settings as described above define filters as case insensitive)

Disclaimer: I do not know the complete truth about filtering in WebDynpro ABAP. This tipp simply describes what I’ve figured out so far.

 

28. SysRec requires an RFC destination to download notes to SNOTE

Using System Recommendations you can download selected notes directly into the Note Assistant, transaction SNOTE, of a managed ABAP system.

Prerequisites:

  • You view the results of a development system (but not of a production system)
  • The Solutions Manager is able to use an RFC destination pointing to the managed system which allows to download notes.

By default, System Recommendations tries to use the Trusted-RFC-Destination which was defined during Managed System Setup. However, you can override this selection using customizing settings as described in note 1796439 – SysRec: Download SAP Notes via desired RFC destinations:

To maintain Service Desk Customizing use transaction DNO_CUST04 (or call transaction SM30 for table DNOC_USERCFG).

System Recommendations uses following keys:

SYSREC_RFC_TYPE

Short text: Type of default RFC destination (TRUSTED, CUST_LOGIN, …)

SysRec searches the list of RFC destinations defined during managed system setup to find a destination which match to this type. Useful values are TRUSTED (default) or CUST_LOGIN.

SYSREC_RFC_<SID>

Short text: Specific RFC destination

SysRec uses this  destination to connect to the managed system .

SYSREC_CLIENT_<SID>

Short text: Default client

Tipp: Even if the customizing table allows user specific entries we recommend to create user-independent entries only.

29. What is the difference between Patch Day Notes and Support Package Implementation Notes?

see Announcement from July 8, 2013:

SAP delivers important security fixes on its monthly Security Patch Day. SAP strongly recommends its customers to implement security fixes, flagged with priority 1 and priority 2, primarily fixing externally reported issues. The fixes are released on the second Tuesday of every month, and can be used to fix a particular vulnerability without needing to update a system to service packs.

In order to further reduce the implementation efforts for our customers, other security fixes like priority 3 and 4 will generally be delivered with support packages. SAP strongly recommends its customers to apply Support Packages on their systems as soon as a support pack is available. The Support Packages can be found on SAP Service Marketplace in the corresponding product area. Information about these improvements will also be published in security notes with priority 3 and 4 some months after Support Packages have been released.

Patch Day Notes

  • SAP Security Notes published on and for Security Patch Day
  • Contain important security corrections
  • Very often address security issues reported from external sources
  • Have CVSS scoring in most cases

Support Package Implementation Notes (SPIN)

  • Typically address security issues of minor impact found SAP internally
  • Should not be published in the first place but just be contained in future Support Packages
  • But, had to be published outside Support Packages and outside the Patch Day schedule because some customer production issue for which the solution requires to implement the note first
  • Might be published on Patch Day dates as well

From mid of March 2014 until Summer 2016 you were able to select Patch Day Notes and Support Package Implementation Notes separately on SAP Service Marketplace.
Now you cannot see this classification anymore on the SAP ONE Launchpad.

Finally, let’s have a look to the customers point of view:

Are Support Package Implementation Notes really different … as soon as they are published?

-> Well, the bad guys can read these notes as well developing exploits based on the ABAP correction instruction, therefore, use CVSS, priority and your own risk assessment to judge about notes but don’t use the type as a major differentiator.

30. Required authorizations to use System Recommendations

First of all you need access to Work Center “Change Management” (if you don’t use the corresponding WebDynpro application directly).

To control access to System Recommendations, the authorization object SM_FUNCS in SAP Solution Manager 7.1 (or SM_TABS in SAP Solution Manager 7.0) can be used to grant or deny access to the different tabs of System Recommendations. Use the fields ACTVT=03, SM_APPL=SYSTEM_REC, SM_FUNC=tab (i.e. SECURITY).

You can restrict access to the systems of specific solutions using the authorization object D_SOL_VSBL with SOLUTION=solution id and ACTVT=03.

Depending on the version of the Solution Manager, authorization object AI_LMDB_PS with ACTVT=03 and LMDB_NAMES=ACTIVE and PS_NAME=system id controls access to individual systems as well. These authorization objects are the minimal set which you need to execute the WebDynpro application directly.

See chapter 16.6 “System Recommendations” and 13.14.2 “User Roles for Solutions, Projects, Solution Directory” in the documentation -> Operations -> Security Guide SAP Solution Manager 7.1 SP14.

By the way:

  • Tracing for authorizations using transaction STAUTHTRACE shows many more authorization objects, which get checked e.g. to verify if you can use the CharM integration etc. Most of them are optional concerning the basic view within System Recommendations.
  • This Wiki shows an overview about authorization objects used in different scenarios of the SAP Solution Manager.

31 a. How to send e-mails with results of System Recommendations via BW Broadcasting on SolMan 7.1

In SAP Solution Manager 7.2 this function is not supported anymore, as the broadcaster 3.x is not supported for BW 7.4 and higher.

See Note 2044155 – BEx Broadcaster 3.x is no longer supported

Prerequisites

You are using SAP Solution Manager 7.1.

To send reports by e-mail, you use the standard functions for BW Web Templates, which require only that your BW system (= Solution Manager) is connected to your e-mail communication.

More information:

You need note 1880710 “3.X Broadcaster sends empty document” (pilot release) of component BW-BEX-ET-BC if your Solution Manager runs with SAP_BW 702 SP 10-14 to be able to enter lower case selections e.g. for area = “Security”.

Configuration

  • Call the BW report that you want to send by e-mail, and choose the desired settings for the time interval and the systems to be displayed. Create a Bookmark URL which you later can add to the e-mail text.
  • Ensure that you call the reports with the user under whose name the e-mails are to be sent. Ensure that this user has a working e-mail address in his or her user data (transaction SU01).
  • Right-click any active area of the BW report to display the context menu, switch to the Extended Menu and choose Distribute ->By E-Mail.
  • A new screen now appears, on which you can make settings for the sending of the e-mail. If you have not yet created appropriate settings, choose Create New Setting. Either create the settings manually or using the wizard.
  • You can define the title and text of the e-mail here, and to whom it is to be sent:
    • In the Description input field, enter a meaningful description of the settings.
    • If you want to send the report directly as part of the e-mail, and it is to be displayed directly in the e-mail, choose the Output Format MHTML.
    • You can select recipients using their user names in the system or their e-mail addresses. You can also define the recipient list using roles. Separate multiple recipients with semicolons.
    • On the Texts tab page, you define the title and text of the e-mail. Note that the e-mails only contain the BW Report itself, that is, they do not contain the selection elements (report name, time interval, and system ID). Create an e-mail text so that the report can be understood without this information.
    • If, in addition to viewing the sent BW report, the recipient should be able to directly access the BW report interactively, insert the relevant Bookmark-URL in the contents of the e-mail.
    • Leave the data on the General Precalculation and Filter Navigation tab pages unchanged.
  • Choose Save, and specify a technical name for the settings.

Options for Sending

If you only want to send this report once immediately, choose Execute; however, it is more likely that you will want to send the report automatically at regular intervals. In this case, choose the Schedule button.

You define the scheduling on a new screen. To create a new periodic schedule, activate the two indicators Create New Scheduling and Periodic…. Now select the desired period and the next start time.

Choose the Transfer button, and save your changes. You have now completed the scheduling. The desired recipients will now regularly receive the desired reports.

Credits for this part go to the blog IT Performance Reports in Your Inbox – Stay Informed Any Time, Anywhere which I had used to compile the text.

31 b. How to send e-mails with results of System Recommendations via reports on SolMan 7.2

As of SolMan 7.2 SP 3 you can send results from Configuration Validation and from System Recommendations via email using new reports which you can schedule as background jobs:
Configuration Validation: DIAGCV_SEND_CONFIG_VALIDATION
System Recommendation: DIAGCV_SEND_SYSREC

See Note 2427770 – Configuration Validation: Sending compliance results via email

On SolMan 7.2 SP 3-4 you have to install note 2401878 after installing note 2427770.

Example for report DIAGCV_SEND_SYSREC

Selection Screen:

Result:

32. How to download latest Java patches using System Recommendation

KBA Note 2041071 shows how to download latest Java patches using System Recommendation.

33. How to optimize results of System Recommendations about Kernel notes

Starting from Solution Manager 7.1 SP 5 the kernel information for the managed system has to be synchronized into LMDB in order for System Recommendation to filter out non-relevant Kernel notes.

According to KBA Note 2023342 perform following steps:

  1. Refer to note 1717846 and 1018839 for kernel registration (Krnlreg for all technical instances) in SLD.
  2. Ensure that synchronization between SLD and LMDB is carried out so the kernel info of the managed system is synchronized into LMDB.
  3. Check the software component list of the managed system in transaction LMDB and ensure that the kernel information is listed showing release and patch level.

34. How to run cross-system reporting on System Recommendations results on SolMan 7.1

The SAP Solution Manager offers cross-system BW reporting showing results from System Recommendations. You do not need any specific preparation like activating BW content as a virtual data provider is used which is available out of the box.

  1. Execute cross-system BW reporting via System Recommendations
    • Show System Recommendations for a system and use the link “System Recommendations Reporting” on top of the results
    • The BW query will be executed with default selections (which is usually not what you want to do):
      All systems of the solution will be selected
      Data from all areas (Security, HotNews, Legal Change, Performance) will  be selected
    • You can change the selection afterwards within the BW report via “Right click -> Enhanced menu -> Variables Entry” on any active element
  2. Execute cross-system BW reporting via Configuration Validation (offering the selection screen first)
    • Start application Configuration Validation via same Work Center “Change Management” (you find the link at the bottom of the left navigation pane)
    • Choose tab “Report Execution -> Reporting Templates”
    • Choose tab “Configuration reporting”
    • Optional: Select a system list for comparison (if you have defined one)
    • Select configuration report 0TPL_0SMD_VCA2_SYS_RECOM_NOTES “System recommendation reporting (missing SAP Notes calculated from system recommendations)”
    • Finally enter selections about systems, area (Security, HotNews, Legal Change, Performance), notes (as of SolMan 7.1 SP 9 there is a quite useful checkbox “Allow to paste note numbers”) or date ranges
  3. Execute cross-system BW reporting via URL
    • Construct a URL which shows the selection screen of the query:
      http(s)://<server>:<port>/sap/bw/BEx?QUERY=0SMD_VCA2_SYS_RECOM_NOTES&CMD=PROCESS_VARIABLES&VARIABLE_SCREEN=X
    • Execute this URL or store it as a favorite in your browser
  4. … or use classical SAPGUI-ALV reporting via customer report ZSYSREC_NOTELIST

35. System Recommendations does not show any usage procedure data (UPL)

SysRec can show usage procedure data as of SolMan 7.1 SP 10 on the popup which shows the object list of selected notes. (As of SolMan 7.1 SP 12 it’s much easier to switch on UPL.)

You can use this information to decide about the required test effort, e.g. based on rules like these:

  • If the usage count is zero in production systems you can assume that the note corrects unused code which might allow you to skip explicit testing.
  • If the usage count is quite high in test systems you can assume that the corrections will be tested implicitly if the correction stays there for a while. Again, you might skip explicit testing.

While preparing demo environments to show UPL data I had observed some obstacles.

If you do not see the additional column in System Recommendations -> Object List or if you get zero results only:

  • Check if UPL is active in managed system:
    • Report /SDF/UPL_CONTROL should show an active status.
    • Report /SDF/SHOW_UPL should show some data (run it for a previous day to get results faster).
  • Check if SolMan gets usage data:
    • BW-Query 0SM_UPL_DATE_RANGE_BPCA respective 0SM_CCL_UPL_MONTH should show some data.
      Keep in mind that it takes some time (up to 2 days) to replicate usage data into these queries.
  • Check if SysRec can retrieve the object list of notes:
    • Update from 2.12.2014: On SolMan 7.1 up to SP 12 you need to implement note 2099728 first.
    • The application log AGS_SR of SysRec in transaction SLG1 should not show error “Assigned S user and RFC user of destination are incompatible”.
      Ensure that there exist a valid entry in transaction AISUSER which connects your user to a valid S-user (see KBA note 1794131).

If you cannot solve the issue by yourself then raise a ticket:

  • If UPL is not working as expected ask for advice via application component SV-SMG-CCM-CDM
  • If SysRec does not show existing usage data, create a ticket on application component SV-SMG-SR
  • If report ZSYSREC_NOTELIST does not show existing usage data, send me a mail or comment on the blog

36. How can I get additional information about recent security notes?

Frank Buchholz from the SAP Active Global Support department Security Services, runs regular webinars in different time zones and in English and German about recent security notes and presents tips about using the tools like System Recommendations efficiently.

You can find the presentation of this regular webinar on the Service Marketplace as well: SAP Security Notes Webinar (pdf).

Hosted by ASUG Security SIG:

“Join the SAP Security Expert, Frank Buchholz, SAP Active Global Support for a monthly webcast series detailing “What’s new about SAP Security Patching”. This interactive series will be held on the third Wednesday of the month at 12:00 p.m. ET. Mark your calendars and consider joining us for an on-going conversation about SAP Security.”

Hosted by DSAG AG SAP Security Notes:

“Wir möchten Sie zu unserem regelmäßigen Webinar einladen, in dem ausgewählte SAP Security Notes diskutiert werden, die mögliche Schwierigkeiten beim Einbau mit sich bringen könnten oder die nicht klar einschätzbar hinsichtlich betroffener Komponenten oder Auswirkungen sind.

Das Webinar findet alle ca 2-3 Monate in der Regel am Mittwoch von 14:00 – 15:00 Uhr statt.

Folgende Themen sind geplant:

– Tipps und Tricks zur Interpretation und zum Einbau ausgewählter Sicherheitshinweise der letzten 2-3 Monate

– Fragen an die Experten”

Hosted by SAUG (SAP Australia User Group):

Regular, monthly webinar, given usually on Thursday 5:00 pm Sydney time.

37. How to transport note implementation status for SNOTE for notes which cannot be implemented via SNOTE?

Let’s assume you want to transport the note implementation status for all ABAP notes to the production system. That’s easy for roles having automatic correction instructions only, but what if a note just contains a description or a manual instruction, e.g. to maintain customizing, profile parameters or authorization roles?

Well, if you set the processing status manually in transaction SNOTE you get no transport order. However, you can create the transport manually:

Preparation: Ensure that note 1788379 is installed in the system.

1. Load note into transaction SNOTE. You observe that you cannot implement a note if there is no automatic correction instruction.

2. Set processing status manually to ‚completed‘. (This is different from the implementation status of SNOTE which remains to the value “Cannot be implemented”.)

3. Run report SCWN_TRANSPORT_NOTES to add notes to an existing or new transport. You can use this report if the note contains some correction instructions.

Manual transport (for notes without correction instructions): Create workbench-transport or transport-of-copies and add the transport keys manually (including leading zeros). Example:

R3TR  NOTE  0001584548

R3TR  NOTE  0001628606

R3TR  NOTE  0001631072

etc.

4. Export the transport and import it into the target system.

You will see the following in the transport log (table CWBNTCUST contains the processing status in field NTSTATUS and the implementation status in field PRSTATUS):

    Start export R3TRNOTE0001584548 …

    1 entry from TADIR exported (R3TRNOTE0001584548                              ).

    3 entries from CWBNTCI exported (0001584548*).

    0 entries from CWBNTCONT exported (0001584548*).

    1 entry from CWBNTCUST exported (0001584548*).

    3 entries from CWBNTDATA exported (NT0001584548*).

    […]

  End of export R3TRNOTE0001584548

5. Run the note browser of SNOTE, report SCWN_NOTE_BROWSER, and validate the processing status.

6. With the next run of SysRec‘s background job the note will vanish from the result list. System Recommendations does not use the processing status which you have set in SNOTE manually – it only considers the implementation status E = “Completely implemented”

38. System Recommendations in SAP Solution Manager 7.2

Here is the overview about the main improvements of SysRec in upcoming release SAP Solution Manager 7.2:

  • User Interface based on Fiori
  • You can store individual views with selections as Fiori tiles
  • Cross-system view and cross-system status and comment management
  • Customizing for status values, i.e. to create different work lists for implementation
  • Status with history and cumulative comments
  • Hide Application Components which do not match to used DB or OS installations
  • General Customizing and Personalization

You find an overview about the new features at

https://support.sap.com/sysrec

Usage, configuration and customizing of System Recommendations in SAP Solution Manager 7.2

39. SAP Note Enhancer: Syntax highlighing of ABAP Code Instructions

The Google Chrome extension respective Firefox User Script “SAP Note Enhancer” enhances the visualization of correction instructions of notes when viewed in the SAP Marketplace or in the Launchpad.

The ABAP portions of the correction instructions are highlighted and the background of insertions and deletions are shown in different colors.

This makes it easier to understand the involved code changes.

See the blog of the developer:

http://scn.sap.com/community/abap/blog/2015/06/28/chrome-extension-to-highlight-abap-correction-instructions-in-sap-notes

Get it here:

https://chrome.google.com/webstore/detail/sap-note-enhancer/keibkcomemkcceddcddjdlncidohgedk

 

40. The 18-Month-Rule

SAP provides security corrections for all product releases which are in maintenance according to the Product Availability Matrix (PAM) .

These security corrections are always part of “Support Packages” (respective “Revisions” for HANA).

SAP produces Security Notes including “Correction Instructions” (in case of ABAP) respective “Patches” (in case of Kernel, Java, or  HANA), too. The overall validity range for corrections in such Security Notes is defined by the so-called “18 month rule” as defined with the introduction of the SAP Security Patch Day in September 2010:

Regular SAP Security Patch Day Launched     13.09.2010
https://service.sap.com/~sapdownload/011000358700000968302010E/news-patchday.htm 
[…]
On the SAP Security Patch Day, we will provide the fixes in form of notes on SAP Service Marketplace. Security fixes for SAP NetWeaver based products are also delivered with the support packages for these products. For all notes with high or very high priority we provide this service for the support packages from the last 18 months.
[…]

On the other hand, there exist a general 12-month rule as well:

https://support.sap.com/sp-stacks
[…]
SAP recommends regular application of these SP Stacks at least once a year so that all corrections can be implemented. To optimize quality, we ask customers to heed the minimum requirements, and apply the Support Packages and patches specified in the SP Stack together.
[…]

Security corrections are created just like other corrections, therefore, this rule is in operation for Security Notes as well.

Limitation: Corrections for internal found security vulnerabilities with medium or low criticality may only be part of support packages respective revisions but may not have a published security note. You have to upgrade the support package respective revision to get these corrections.

Conclusion:

Correction Instructions respective Patches are not necessarily created for support packages respective revisions which are older than 18 month. You have to upgrade the support package respective revision to get these corrections.

ABAP:

Usually it is easy for the developer of an ABAP correction to provide correction instructions for all / most support packages for all active releases without any additional work. Therefore you can observe that most security notes for ABAP contain valid correction instructions for old support packages, too. However, if this is not possible due to technical limitations then the developer can restrict the validity of the correction instruction to newer support packages only.

Kernel:

For the Kernel, we create patches for the releases which are in maintenance. If a security note does not offer a patch for the Kernel release  of your system, then you need to upgrade the Kernel release. (All releases up and including 7.20 are out.)

See

SAP Kernel: Important News
http://scn.sap.com/docs/DOC-53415

Note 1975687 – SAP Kernel 7.21 (EXT) replaces SAP Kernel 7.20 (EXT) as standard kernel in Q1/2015

Note 787302 – Maintenance for SAP kernels seems to end too soon

Java:

For Java, we create patches for the last 2-3 SP per release according to the 18-month-rule. If a security note which match to the an installed software component release does not offer a patch for the support package of your system, then you need to upgrade the support package.

HANA:

You need to update the revision. As of SPS 12 there exist maintenance revisions in addition to full release revisions.

Note 2021789 – SAP HANA revision und maintenance strategy

41. When should I check for new Security Notes?

The Patch Day happens on every 2nd Tuesday per month. Nowadays the publication of new security notes which are part of a Patch Day is triggered automatically on Tuesday right after midnight in CET timezone.

You can schedule the background job SM:SYSTEM RECOMMENDATIONS of application System Recommendation accordingly.

Exceptions:

  • Security Notes with very high priority like HotNews can be published on any date.
  • Security Notes with low or medium piority (aka Support Package Implementation Notes) can be published on any date i.e. if they are a prerequisite to implement other correction notes.

42. How-to find Security notes for Web Dispatchers?

You can register a Web Dispatcher at the SLD, connect it to the SAP Solution Manager as a technical system with system type WEBDISP, and enable it in System Recommendations. This way you get some recommendations about the Web Dispatcher.
However, I guess to get a complete picture about security of the Web Dispatcher you need more than that.

Keep in mind, that the Web Dispatcher

  • rarely gets connected to the SolMan as described above,
  • could be used in front of ABAP, Java, and HANA systems,
  • is a component which is independent from the Kernel,
  • in case of HANA it is an internal part of HANA,
  • it is very similar to the Internet Communication Manager (ICM) which is part of the Kernel, and
  • usually requires not only software updates but requires configuration as well to solve security issues.

Let’s check the Support Portal to find security Notes about the Web Dispatcher (status from 19.06.2017):

https://support.sap.com/notes -> Expert search

a) Search by Application Component of the Web Dispatcher

Application Component (exact): BC-CST-WDP
Document Type: SAP Security Notes
-> 12 Documents found

b) Search by Application Component of the Internet Communication Manager (ICM)

Application Component (exact): BC-CST-IC
Document Type: SAP Security Notes
-> 32 Documents found

c) Search by Software Component of the Web Dispatcher

Software Component: WEBDISP
Document Type: SAP Security Notes
-> 6 Documents found

Combining all results you find 39 Security Notes.
Only few of them have assignments to

  • Software Component WEBDISP, or
  • Support Package Patches of type “SAP WEB DISPATCHER <release> <patch>

I would expect that only these notes could be found by System Recommendations.
And not all of these notes have assignments to both, the Software Component and the Patch, which would be required for System Recommendations to produce an exact result at least for the software level (System Recommendations cannot check the configuration anyway).

Therefore, my recommendation is the following:
Whenever you see a Security Note for any of your systems of type ABAP, Java or HANA which deals with the Web Dispatcher or the Internet Communication Manager (ICM), you should check if this note could be relevant for all your installations of the Web Dispatcher, too.

To report this post you need to login first.

57 Comments

You must be Logged on to comment or reply to a post.

  1. Mike Fritchley

    Do not use RSECNOTE on its own:

    – No Java Patches included (ABAP System only)

    – SAP released 250+ Sec.Notes in May and in the Marketplace it was recommended to install, but none where marked for EWA, i.e. RSECNOTE.

    Use the Marketplace and/or System Recommendations in SolMan

    (0) 
    1. Frank Buchholz Post author

      The latest recommendations for RSECNOTE dated from 21.3.2012 cover the patch days up to March 2012. You can find some recommendations from 11.4.2012 about two more  notes. That means, that the patch days from April, May and June 2012 are note covered by RSECNOTE yet. I wouldn’t say that RSECNOTE is dead, however, I agree to the impression that the schedule is not reliable any more.

      Well, as soon as a company has sucessfully set up a monthly patch process, e.g. initially based on the selection of notes shown by RSECNOTE, and everything works well, we recommend to start using the application System Recommendations to cover all notes.

      (0) 
      1. Frank Buchholz Post author

        Today, we published some new recommendations for the EarlyWatch Alert check /  RSECNOTE.

        However, keep in mind that this tool only checks for selected ABAP and kernel notes. If you want to review all security notes including Java notes you have to use the application System Recommendations or to inspect the complete list as shown in the SAP Marketplace.

        (0) 
  2. Venkata Battula

    I am not sure why the answer for question Number 15 mentioned as “No”. But we can transport the security notes upto production that applied in Development.

    Let say if there are different systems like ECC, BW and SCM atc, its enough to apply in Development environment of each system, create transport and move upto Production environment of each system.

    (0) 
    1. Frank Buchholz Post author

      Maybe I should clarify the text: You implement a security note once in a specific DEV system and than you transport it to the corresponding TEST and PROD system of that transport chain, but you cannot use this transport for any other system in your landscape.

      (0) 
  3. Mike Fritchley

    The fact that RSECNOTE and EWA are not updated at the correct intervals (and don’t show Java) makes the functions themselves a major Security Risk as they lead the customers into a “false sense of security”.

    RSECNOTE should be dead  😈 and another functionality of SolMan should be made mandatory (in keeping with SAP’s SolMan Strategy).

    (0) 
  4. Matt Urban

    Frank,

    Why would RSECNOTE yield notes that are not listed from Solution Manager System Recommendations for the same Technical System? The list I extracted for all 2012 from System Recommendations does not have the notes listed from RSECNOTE.

    Thanks,

    Matt

    (0) 
      1. Matt Urban

        Frank,

        Here is the list from RSECNOTE with a 2012 date. These notes do not show up in System Recommendations from the date range of 1/1/2012 – 7/30/2012 (all components).

        Note Published by RSECNOTE Published as Security Note
        1562119 (January 2012) 08.11.2011
        1579673 (March 2012) 13.12.2011
        1584930 (March 2012) 14.02.2012
        1589347 (March 2012) 14.02.2012
        1590341 (July 2012) 08.05.2012
        1606808 (January 2012) 11.10.2011
        1608934 (July 2012) 08.05.2012
        1610668 (July 2012) 08.05.2012
        1610923 (July 2012) 08.05.2012
        1614834 (July 2012) 08.05.2012
        1616366 (January 2012) 08.11.2011
        1634457 (July 2012) 10.04.2012
        1638258 (July 2012) 10.04.2012
        1638520 (March 2012) 14.02.2012
        1640523 (March 2012) 14.02.2012
        1648735 (March 2012) 13.03.2012
        1656265 (March 2012) 14.02.2012
        1656658 (July 2012) 08.05.2012
        1659045 (July 2012) 08.05.2012
        1661157 (July 2012) 10.04.2012
        1661349 (July 2012) 14.02.2012
        1665921 (July 2012) 12.06.2012
        1683644 (July 2012) 12.06.2012
        1684539 (July 2012) 12.06.2012
        1686917 (July 2012) 10.04.2012
        1688421 (July 2012) 08.05.2012
        1693480 (July 2012) 08.05.2012
        1694662 (July 2012) 08.05.2012

        Thanks,

        Matt

        (0) 
        1. Frank Buchholz Post author

          Hi Matt,

          all of these notes are in fact Security Notes (=pulished on SMP /securitynotes) and therefore get checked by the application System Recommendations.

          1. There might be some confusion about different release dates:

          a) on the SMP and within System Recommendations we see the date “Published as Security Note“. The selection by System Recommendations uses this date as well. 

          I’ve added this date to your list.

          b) RSECNOTE shows a different date “Published by RSECNOTE“. This is the month during which the note was added to the RSECNOTE check. You see that this is sometimes the same month like the date when the note was published, but for some notes it is much later. It seems that RSECNOTE is ‘lazy’ …

          Because of your selection, I would expect to see all notes published as of 1/1/2012 in System Recommendations but not older notes.

          This explains some of the differences but not all.

          2. I don’t have a simple explanation for the remaining differences. It might be one of the following reasons:

          a) The SMSY (respective the LMDB) does not know about the correct system configuration of the managed system (System Recommendations uses this to get the software components, releases support packages and patches). However, I don’t think that this is the reason.

          b) The special, performance optimized delta mechanism of the System Recommendation backgrund job SM:SYSTEM RECOMMENDATIONS did not have calculated all results yet. Please check the job. You can simply copy it and run it additionally to the scheduled runs. Than re-check the results.      

          Kind regards

          Frank

          (0) 
          1. Matt Urban

            Frank,

            That was the issue. Apparently when you perform the manual check for notes (using the refresh link) it doesnt fetch all data. I ran the job and the applicable notes went from 7 to 217 for the 2012 calendar year.

            Question, does the refresh link not work proper and the job should be used / scheduled instead? Or was this a one-time activity and the refresh link will work going forward? Something that has been fixed in SP05?

            Thanks again,

            Matt

            (0) 
            1. Frank Buchholz Post author

              I never use the refresh button in System Recommendations as I can’t stand the waiting time, therefore I have no clue what this function actually is doing 😉

              (I assume, that the refresh button works fine to get latest changes but requires that the job already has calculated the complete results.)

              Don’t worry to schedule the background job quite often (once a week or even once a day) because nowadays the job is optimized to save processing resources.

              Kind regards

              Frank

              (0) 
  5. Mike Fritchley

    FAQ 6 states:

    The complete list of all security notes is shown on the page /securitynotes

    However looking at /notes there are DB based Security Notes that are not listed; e.g.:

    1753297 – Oracle Security Alert       – 14.08.2012

    1714255 – Beschränkung der …..     -15.05.2012

    A single source of Security Note truth is required, how can one be sure that all Security relevant Notes (all DB; OS; GUI etc.) appear in the /securitynotes section?

    Is it expected that we also look in other areas i.e. /notes etc.?

    (0) 
    1. Frank Buchholz Post author

      Hi Mike,

      thank you very much for bringing this issue to my attention! Meanwhile I’ve triggered the process to turn such notes into “Security Notes” which get listed at /securitynotes in the SMP.

      Well, even if I still claim that this page shows (almost as I know now…) all SAP Security Notes – that means notes created by SAP – you should not forget to scan other sources like NIST to find security notes about the the operating system, network components or the database etc.

      Kind regards

      Frank Buchholz  

      (0) 
  6. Felix Granados Sanandrés

    Hi Fran,

    I wonder whether SAP Security Notes are included in Support packages. So the question is: “Are always all the Security Notes included in the next Support Package or just some of the security notes”. If just some of them, which ones? All the notes that appear in RSECNOTE?

    Thanks,

    Félix

    (0) 
    1. Frank Buchholz Post author

      I wonder whether SAP Security Notes are included in Support packages. So the question is: “Are always all the Security Notes included in the next Support Package or just some of the security notes”. If just some of them, which ones? All the notes that appear in RSECNOTE?

      Thanks,

      Félix

                         

      The correction provided by a Security Note is always part of a (next) Support Package for ABAP respective Java or part of a Kernel Patch. In addition SAP provides ABAP correction instructions which can be implemented using the Note Assistant, transaction SNOTE, respective Java Patches for the newer Java Support Packages.

      You see, you can either upgrade your Support Packages or you can implement notes individually to get the latest security corrections. If you upgrade rarely than you should add more effort to implement notes individually to fix security vulnerabilities.

      Caution: some notes describe manual activities which you can perform as soon as you have the requires software level. These notes should be processes even if you upgrade your Support Packages.

      Kind regards

      Frank

      (0) 
  7. Daniel Haenni

    Hi Frank

    From time to time there is a big difference in the CVSS Score shown in the Securitynote and des CVSS Score on the NIST Page. For example, Note 1649838 (SecNote CVSS 6.8; NIST CVSS 10) .

    What is your recommendation for using the CVSS Score, use the NIST-Score or the SecurityNote Score?

    Kind regards

    Daniel Haenni

    (0) 
    1. Frank Buchholz Post author

      Daniel Haenni wrote:

                             

      Hi Frank

      From time to time there is a big difference in the CVSS Score shown in the Securitynote and des CVSS Score on the NIST Page. For example, Note 1649838 (SecNote CVSS 6.8; NIST CVSS 10) .

      What is your recommendation for using the CVSS Score, use the NIST-Score or the SecurityNote Score?

      Kind regards

      Daniel Haenni

                         

      I agree, that you can see differences from time to time.

      Let’s have a look to the example first.

      Note 1649838 at SAP
      https://service.sap.com/sap/support/notes/1649838
      CVSS Base Score: 6.8 
      CVSS Base Vector: AV:N/AC:M/AU:N/C:P/I:P/A:P
      Priority: HotNews

      Note 1649838 at NIST
      http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-4341
      CVSS v2 Base Score: 10.0 (HIGH)
      CVSS Base Vector: (AV:N/AC:L/AU:N/C:C/I:C/A:C)

      Legend:
      AV = AccessVector (Related exploit range) L=Local access, A=Adjacent network, N=Network
      AC = AccessComplexity (Required attack complexity) H=High, M=Medium, L=Low
      AU = Authentication (Level of authentication needed to exploit) N=None required, S=Requires single instance, M=Requires multiple instances
      C = ConfImpact (Confidentiality impact) N=None, P=Partial, C=Complete
      I = IntegImpact (Integrity impact) N=None, P=Partial, C=Complete
      A = AvailImpact (Availability impact) N=None, P=Partial, C=Complete

      Observations:

      • SAP chooses AccessComplexity=medium but NIST assumes that it’s not so difficult for an attacker giving AccessComplexity=low
        (My personal opinion is that it’s not simple to produce a working buffer overflow which give full access to an attacker and which can hide itself from detection. But I have to confess that I’m just an ABAP nerd but have no clue about applications written in C.)
      • For impact metrics C, I, and A we see ‘partial’ at SAP but ‘complete’ at NIST
        (My personal opinion about buffer overflow on servers, code injection or complete SQL injection always should produde ‘complete’ rating for SAP systems.)
      • However, even if SAP calculated the CVSS score 6.8, the note was classified as HotNews which match to the very high risk of the vulnerability
        (Good to know;-)

      My impression is simply that you can discuss the metrics differently producing different results. This is one reason why we had deciced to use just two categories in the EarlyWatch Alert / RSECNOTE (red and yellow) and that we recommend to implement all notes from both groups.

      In addition we recommend that you not only should consider the priority or CVSS (which desctibes the risk of the vulnerability from a software point of view) but you have to think about your individual risk concerning propability of an attack, cost of an potential attack but also about the business impact of implementing the patch. All of this together will generate the overall decision about implementing the note within short time as part of the monthly patch process or to wait until the next maintenance cycle.

      Example: XSS attacks have a low propability for company internal systems which are accessed via SAPGUI and RFC only, but happen very likely in case of internet facing web applications.

      By the way: In case of ABAP notes having automatic correction instructions for the Note Assistant, transaction SNOTE, I strongly recommend to have a close look to the ABAP code of the correction to decide about implementing the note.

      Kind regards
      Frank 

      (0) 
  8. John Smith

    Hi Frank,

    I have a dilemma in SAP security notes and upgrades and would  appreciate your help. I am working on a 7.0 SAP system and we have upgraded  the system to 7.3. The question is what should I do with the SAP security notes after the upgrade? Should I start implementing the security notes starting with those after the 7.3 release date assuming that the upgrade to 7.3 will resolve any security issues before that date or should I implement all security notes without a specific date to start with.

    Regards, John

    (0) 
    1. Frank Buchholz Post author

      As part of any upgrade you should get information about required Security Notes.

      SAP recommends to use

      – the Mainenance Optimizer (MopZ) step 4 before respective

      – the System Recommendations after

      running the technical release or support package upgrade to get the list of required security notes.

      In general I do not recomment to select notes by date because even old notes can be relevant. (Use a selection for the date only if you want to see new notes e.g. of the most recent patch day.)

      However, you will see following typical result using the list view in System recommendations after implement the latest support package (which is some weeks or even month old concerning SAP development closing):

      a) There are few new security notes having automatic correction instructions

      b) There are one hundred ore more old security notes without automatic correction instructions which still show up in System Recommendations.

      Obviously you should implement notes of group a) at once as it’s much cheaper to include them as long as you havn’t startet application testing than implementing them later.

      Notes of group b) are more difficult: First you have to decide if they are in fact still relevant – it might be the case that this is not the case anymore but System Recommendations simply cannot judge about this. Therefore I would agree if you work throught this list from new to old skipping the very old ones.

      Kind regards

      Frank 

      (0) 
  9. Krzysztof Murkowski

    Hi Frank,

    during check of system recommedations for particular managed system (job SM:SYSTEM RECOMMENDATIONS) we get following errors in application log (trans SLG1):

    AGSNO_MESSAGE001: Database type is unknown

    AGSNO_MESSAGE001: Operation system is unknown

    My question: what is the source of that information for system recommedations? I’ve looked in SMSY, SLD, LMDB and OSS and master data of this managed system seems to be valid for me.

    Regards,

    Kris

    (0) 
    1. Frank Buchholz Post author

      Krzysztof Murkowski wrote:

      Hi Frank,

      during check of system recommedations for particular managed system (job SM:SYSTEM RECOMMENDATIONS) we get following errors in application log (trans SLG1):

      AGSNO_MESSAGE001: Database type is unknown

      AGSNO_MESSAGE001: Operation system is unknown

      My question: what is the source of that information for system recommedations? I’ve looked in SMSY, SLD, LMDB and OSS and master data of this managed system seems to be valid for me.

      Regards,

      Kris

      Let’s have a look to the job SM:SYSTEM RECOMMENDATIONS = Report AGSNO_RPT_COLLECT_DATA using the Debugger:

      Result:

      The messages about unknown database type and operation system are created on the SAP backbone while executing CALL METHOD cl_agsno_oss_service=>execute.

      Unfortunately this means that I cannot analyze the root cause even if I’ve a test system showing the same messages.

      Anyway, I’ve not the impression that these yellow messages in the application log unveil some crititical issues.

      Kind regards

      Frank

      (0) 
    2. Julius von dem Bussche

      This is speculative… but the users on the managed system for the monitoring sometimes lack sufficient authorizations for the application functions which wrapper the public functions to return the DB and OS info.

      Prime candidates are if you are still using the CSMREG user with standard manual profiles. In that case check in ST22 for dumps and trace it on the managed system.

      As Frank mentioned I also think it is harmless none-the-less. The SysRec filters on OS and DB filter the notes and not your systems, so if the types are unknown it should make no difference to the result. That something is not working might however lead to other mysterious results so you should solve it anyway.

      Cheers,

      Julius

      (0) 
  10. Marc Crummenauer

    Hello Frank,

    I’m facing currently an issue with System Recommendation.

    SysReco displays 2 security notes, that are assigned to SAPKA70206 respectively SAPKA70211. But Sol Man’s LMDB and managed system’s SPAU tell me that SAPKA70211 was applied for some time.

    Could you please provide an idea, what could be wrong on Solution Manager or managed system.

    Best regards/marc

    (0) 
    1. Frank Buchholz Post author

      Hi Marc,

      Please provide the note numbers. I like to check which validity ranges are assigned to these notes concerning

      • validitdy of note (software component + release)
      • valididity of automatic correction instructions (software component + release + SP)
      • valididity of Manual correction instructions (software component + release + SP)
      • assignments of SP / patches (software component + release + SP)

      What is displayed by System->Status->Component Information for SAP_ABA (I assume you see SAPKA70211)?

      Kind regards

      Frank

      (0) 
      1. Marc Crummenauer

        Hello Frank,

         

        Please find requested details:

        Note 1497599

        • validity of note (software component + release)  Component:
          SAP_ABA  +  Release 700 – 702
        • validity of automatic correction instructions (software component + release + SP)
          SAP_ABA + Rel. 702 + correction instruction 928347 valid to support package 702-ALL SUPP. PACKAGES
          SAP_ABA + Rel. 702 + correction instruction 1260378 valid to support package
          702-SAPKA70204 
        • validity of Manual correction instructions (software component + release + SP)
          ./.
        • assignments of SP / patches (software component + release + SP) 
          SAP_ABA  + Rel. 702  + SAPKA70205

        Note 1648395

        • validity of note (software component + release)  Component:
          SAP_ABA  +  Release 700 – 702 & 710 – 711 & 731 – 731
        • validity of automatic correction instructions (software component + release + SP) 
          ./.
        • validity of Manual correction instructions (software component + release + SP)
          SAP_ABA + Rel. 702  +  From SAPKA70201
        • assignments of SP / patches (software component + release + SP)
          SAP_ABA + Rel. 702 + SAPKA70211

        What is displayed by System->Status->Component Information for SAP_ABA (I assume you see SAPKA70211)?  Yes

        These are only two examples, in the meantime I identified a few more sec notes that should not be displayed according to Support Pack Release in SysReco on different Solution Manager Systems.

        Best regards/marc

        (0) 
  11. Peter Hofer

    Hello,

    We are configuring system recomendations background job, however, the mechanism to add systems into the scheduled job is time consuming, cumbersome and not particulalry user friendly when trying to add, remove or review which systems are currently included in hte job.

    I can see the data is stored in table AGSNOTE_DATA however, it is not stored in a readable format.

    Is there some other way to maintain / review the list of systems?

    Thanks

    Peter

    (0) 
    1. Frank Buchholz Post author

      Hello Peter,

      please have a look to my new little helper report ZSYSREC_SHOW_CONFIGURATION (published via my Wiki page) which shows the job definition, the list of systems for which the job calculates results and the list of systems for which results are available.

      Up to now, the report is limited to SolMan 7.1.

      If I get some thumbs-up, I’ll include this into good old report ZSYSREC_NOTELIST.

      Kind regards

      Frank

      (0) 
  12. Nirmal Behera

    Hello,

    We ran the system recommendation and even implemented those notes. But what is the reason that even after we have implemented the notes those notes does not vanish and still appear in under system recommendation? Also I also have the same issue, the tool is suggesting me those notes which are not relevant for our system.

    Best regards

    Nirmal

    (0) 
  13. Bernard Sheridan

    Hi Frank,

    Thanks for this valuable post! Is it possible to refresh the system recommendations for years gone by e.g. from 2010 – 2014?

    Each time I refresh, it pulls back security notes for the prior month. I doubt I have to keep doign this for every month as far back as 2010?

    I did execute FM DIAGST_CONFIG_SET with 1000 days as a test, but still the refresh only goes back to the priod month from the last refresh.

    Thanks,

    Bernard.

    (0) 
    1. Frank Buchholz Post author

      The purpose of the refresh function is only to adjust the pre-calculated results with latest findings and newly implemented notes. I do not use this function.

      Instead of this I schedule the background job quite regularly – once a week after Tuesday to catch all security patch days. You find this at the ‘settings’ link on the top right of the screen.

      See KBA note 2046605

      Kind regards

      Frank

      (0) 
  14. Ragoobir Henry

    Hello Frank

    Can you clarify the recommendation with regards to applying  security notes that requires a kernel patch?  I do not believe that it is practical to upgrade the kernel across the landscape every time a new kernel is recommended by a security note. However, there are some that are pointing to the fact that the note is rated is priority 1 and are applying pressure for the application. Systems are all internal.

    thanks

    Ragoobir

    (0) 
    1. Julius von dem Bussche

      Theoretically the kernel versions should always be backwardly compatible, and basis folks are used to patching the kernel more regularly than the application layer.

      IMO it makes sense to patch sandboxes as soon as the new versions are available and keep an eye on bugs and then home in on a patch level when it looks stable for a while.

      This also depends on your application patching cycles. I have a customer on 7.00 SP1 (8 years old), and the 7.21 “innovation kernel” with current patch level does not work. Luckily with kernel versions it is very easy to rollback. Application patching (SNOTE and Support Packs is practically impossible to roll back).

      -> Kernel should normally not be a problem, unless the application level is so old that the kernel is incompatible and not even SAP tested it (special case on SOLMAN and IDM they appear not to test at all if you ask me…).

      Cheers,

      Julius

      (0) 
      1. Ragoobir Henry

        @Julius : Thanks for your response. In theory this is ok. However, the reality may not be as simple. For example,  a landscape with over 60 SAP systems, 9 of which are production, frequent kernel upgrades may not be as quick and simple. I am looking for guidelines and or exmaples off what other customers are doing for kernel upgrades, especially in light of these high priority security notes that are being published. From my experieince, prior to security notes, most customers are upgrading the kernel once a year.

        thanks

        Ragoobir

        (0) 
        1. Andy Silvey

          as a rule of thumb you should be looking at:

               kernel upgrades twice a year

               db patching twice a year

          it doesn’t matter how many systems you have, obviously you have to scale your support to be able to complete the work as your landscape grows, for the last 12 years I’ve only been at customers with 100’s of systems and minimum 200, and this approach is the standard

          Best regards,

          Andy.

          (0) 
        2. Julius von dem Bussche

          Yes, you must first upgrade the kernel.

          Many HR systems get it right to patch the applications every three months as they for legal reasons have to do it. They get used to it and ABAP patches from SAP are not cumulative so sooner or later you have to go through the whole lot anyway.

          Much like jogging, once you are fit you keep running and running, become faster at it and get used to it. You just must not try to win the race – that is not good… 🙂

          Cheers,

          Julius

          (0) 
  15. Frank Neidig

    Hi Frank,

    Regarding question 5 – we recognized that Hana notes will be displayed in SysRec although the underlaying database product is an other database. As mentioned in question 5 there are a lot of notes and it would reduce the manual effort if only notes for the installed DB product are displayed in the SysRec. It would be nice if this could be implemented during the further development of the SysRec functionality.

    Best regards

    Frank

    (0) 
    1. Franz Lengel

      Hi Frank,

      yes that is a problem we also have. I think that might be a reason why some do not use the system recommendation any more.

      Best regards,

      Franz

      (0) 
    2. Frank Buchholz Post author

      The current version of System Recommendations (in SolMan 7.0 and 7.1) does not know about the underlying database and operating system.

      With the next version in SolMan 7.2 we at least provide a customizing table which you can use to select the Application Components for the underlying databases and operating systems. This way you can hide notes of other Application Components which do not match to your OS/DB installations.


      However, I’m a little bit surprised that you mention HANA because these notes belong to software component HDB with software component version SAP HANA DATABASE 1.00.

      None of these notes should show up in System Recommendations for a technical system of type ABAP (you have to connect HANA as a separate technical system).


      Kind regards

      Frank


      Overview about Application Components for DB/OS:


      Databases
      ADA BC-DB-SDB
      ADA BW-SYS-DB-SDB
      DB2 BC-DB-DB2
      DB2 BW-SYS-DB-DB2
      DB4 BC-DB-DB4
      DB4 BW-SYS-DB-DB4
      DB6 BC-DB-DB6
      DB6 BW-SYS-DB-DB6
      HDB BC-DB-HDB
      HDB BW-SYS-DB-HDB
      HDB HAN-DB
      INF BC-DB-INF
      INF BW-SYS-DB-INF
      LVC BC-DB-LVC
      MSS BC-DB-MSS
      MSS BW-SYS-DB-MSS
      ORA BC-DB-ORA
      ORA BW-SYS-DB-ORA
      SAP BC-DB-SDB
      SAP BW-SYS-DB-SDB
      SYB BC-DB-SYB
      SYB BW-SYS-DB-SYB
      TD BC-DB-TD
      TD BW-SYS-DB-TD
      Operating Systems
      AIX BC-OP-AIX
      AIX BC-OP-BUL
      HP-UX BC-OP-HPX
      LINUX BC-OP-LNX
      LINUX BC-OP-PLNX
      LINUX BC-OP-ZLNX
      LINUX OS/3 BC-OP-LNX
      LINUX OS/3 BC-OP-PLNX
      LINUX OS/3 BC-OP-ZLNX
      OS/400 BC-OP-AS4
      SINIX BC-OP-FSC-REL
      SOLARIS BC-OP-FSC-SOL
      SOLARIS BC-OP-SUN
      SUNOS BC-OP-SUN
      TRU64-UNIX BC-OP-CPQ
      TRU64-UNIX BC-OP-TRU64
      UNIX BC-OP-CPQ
      UNIX BC-OP-TRU64
      WIN-NT BC-OP-NT
      Z/OS BC-OP-S390
      (0) 
      1. Bernard Sheridan

        Excuse the potential dump question here, but do we need to manually check every Application Component applicable to our system for SysRec to show the relevant implemented/non-implemented security notes?

        I have SysRec showing a required note for a DB we do not use. For another system SysRec log is showing a message: xyz-ABAP – not able to get the implemented SAP note and check application log for details

        Using SolMan 7.1

        (0) 
      2. Rob Arundel

        Hi Frank,

        I’m currently in Rampup for 7.2, just splitting ABAP/Java so nearly ready to start using it.

        Can you tell me the customizing table / provide instructions?

        Thanks

        (0) 
        1. Frank Buchholz Post author

          I’m glad to hear that you start using SysRec 7.2.

          You find the information about SysRec 7.2 on https://support.sap.com/sysrec at ‘More Information’ on the right navigation pane labeled with ‘Usage, configuration and customizing of System Recommendations in SAP Solution Manager 7.2′.

          (Most of these slides are part of the main slide deck about Security Patching on https://support.sap.com/sos as well.)


          Please share your experience with SysRec 7.2 with us!

          Kind regards

          Frank

          (0) 
  16. Ambarish Thakore

    After implementing Note 2235515: Insufficient logging in SNOTE, How do we confirm that the RFC destination si put in the log entry of the note assistant tool?

    (0) 
    1. Frank Buchholz Post author

      Well, you will find the name of the destination which was used to download a note in the log for that note somewhere in SNOTE. But I do not believe that anybody ever would validate this log. Just imagine to find something like SAP_OSS. Would you take this as an alert to start forensic about why this destination was used?

      As far as I know there does not exist a report which shows the used destinations for all notes on one screen.

      On the other hand I could imagine that a security-affine organizations has some controls in place to regularly validate RFC destination in general (locally with report RSRFCCHK, centrally using Configuration Validation in the SolMan).

      (0) 
  17. Christian Schroeder

    Hello Frank,

    thanks for the FAQ, very helpful. But I have some questions  about How-to-Work with SysRec.

    We check the Secnotes every system from 2006 to now. Is that a right way? There are many notes without automatic or manual corrections like hints or informations about lower kernels old ITS 6.1 notes. In #37 I see a solution to exclude these notes. But do you think its necessary to select a long period, or are the SysRec function only for a period since the last implenetation of Secnotes?

    Actual we have a Solman 7.1 SPS14 for SysRec. What about the notes in SAP Launchpad. Does the cofirmation of some notes in launchpad have a effect to our list in Solman?

    What RFC Destination will be used, if I want to download the selected notes to SNOTE?

    Thanks a lot and best regards 🙂

    Christian Schroeder

    (0) 
    1. Frank Buchholz Post author

      For notes which only contain software updates, you could ignore very old ones as your system is newer – however, such old and not relevant notes would get omitted by SysRec anyway.

      For notes which contain descriptions or manual instructions for settings / customizing it is more complicated: even very old notes could be still relevant! Therefore I do not recommend to use a date filter if you want to go for all relevant notes.

      The “confirmation” function in the Launchpad affects only your very personnel list. This has no effect on the view of others or on SysRec. I do not use the “confirmation” function in the Launchpad.

      To download notes, Sysrec uses the Trusted-RFC-Same-User-Destination which belongs to the Technical System (= backend system which is registered in the SolMan).

      Typical name:  SM_<system>CLNT<client>_TRUSTED 

      If this destination is truly a Trusted-RFC-Same-User-Destination you will see the downloaded notes in your own worklist within SNOTE – but of course only if your own user has appropriate authorizations in this system.

      If this destination is defect and not a true Trusted-RFC-Same-User-Destination but a normal destination with stored user/password, then you would find the notes in the worklist of this user – again only if this user has appropriate authorizations in this system.

      Kind regards

      Frank

      (I’m going to be offline for a couple of weeks.)

      (0) 
  18. Vikas Kaul

    Hi Frank,

    I am on /securitynotes page, but cannot find the option to create the filter for selected module of sap application. Where is the option “My security Notes”.  On main page when i click on

    There also i cannot create filter, See screenshot

    Capture.JPG

    Also if i try to open the Legacy Marketplace with link you mentioned, it does not give option to select the system. See screenshot:

    Capture.JPG

    (0) 
    1. Frank Buchholz Post author

      Dear Vikas,

      On https://support.sap.com/securitynotes use the link “Important SAP Notes – Help” to show the documentation about how to manage the filter. However, it’s a bit more tricky to find this mentioned app “Important SAP Notes” where you can define the filter… (I suggest to use the “Share your feedback” button in the Launchpad to send a request about this.)

      Well, I found the option to manage the filter on the “TopNotes” page.

      I expect that this is the same filter used in the new Launchpad app for showing Security Notes, however, I usually use the “All security notes” button instead of using a filter.

      The legacy app “Search Security Notes” which you show in your 2nd picture still seems to work. This is the app for showing all security notes without any filter.

      Kind regards

      Frank Buchholz

      (0) 
      1. Vikas Kaul

        Hi Frank,

        Thanks for reply. I tried to access “Topnotes” but looks like SAP has stopped using that as well. If i open the “topnotes” it forces to use Launchpad only (see enclosed)

        I tried to update the feedback, haven’t got any reply yet.

        Thanks

        VikasCapture.JPG

        (0) 
  19. Franz Lengel

    Dear Frank,

    I have questions about

    32. How to download latest Java patches using System Recommendation

    KBA Note 2041071 shows how to download latest Java patches using System Recommendation.

    With that functionality I get all latest patches for all components, right ?
    But it is not recommended to implement all newest patches.
    (2022451 – Add Java Patches – Things to consider)

    So I think it might be best to get only the desired patches with their dependend patches
    ( 1974464 – Information on SCA Dependency Analysis for Java download objects).

    How could that be achieved ?

    Thank you.

    Kind regards,
    Franz Lengel

    (0) 
  20. Boris Pasynkov

    Hello Frank!

    I have a question about Security Notes Implementation Mechanism.

    Could you clarify one moment? For example, I’ve read the SAP Note and decided that I should implement this one, because it refers to a component that I use in my SAP system. But during the process of implemetation this Note have gotten the status “Cannot be implemented”. The key moment is that this Note has a link to other one, and the second Note is already “Can be implemented” in my system. Could you explain the mechanism of check which Notes can be implemented through the implementation of other Notes.

    Best regards and thank you!

    (0) 
  21. Frank Buchholz Post author

    Most Security Notes for ABAP contain references to the Support Packages which contain the solution (section Support Packages) as well as automatic correction instructions for the Note Assistant, transaction SNOTE, (in section Correction Instructions).

    If there are automatic correction instructions which match to the current software configuration you can implement the note using transaction SNOTE.

    However, if a Security Note does not contain the solution as automatic correction instructions but simply refers to another note, then you cannot implement the Security Note. You only can implement the referred note – and you have to do it manually and you have to document your actions manually, too. The application System Recommendations cannot recognize by itself that you have done all necessary steps.

    Kind regards

    Frank Buchholz
    SAP CoE Security Services

    P.S. By the way: Instead of the reason “because it refers to a component that I use in my SAP system” you should follow the rule “because it refers to a component that exists in my SAP system”

    (0) 

Leave a Reply