Keep up on vulnerabilities with security notes
Continuing with the security topics, I will cover the topic of staying up to date with security patches for BI.
While SAP practices a complete security development lifecycle, the security landscape continues to evolve, and through both internal and external security testing we become aware of new security issues in our products. Every effort is then made to provide a timely fix to keep our customers secure.
This is part 4 of my security blog series of securing your BI deployment.
You’re probably familiar with running monthly patches for windows updates, “patch Tuesday” on the second Tuesday of every month.
SAP happens to follow a similar pattern, where we release information about security patches available for our customers, for the full suite of SAP products.
BI security fixes are shipped as part of fixpacks and service packs.
I will here walk you through signing up for notifications.
Begin by navigating to https://support.sap.com/securitynotes
This will take you to another link, where you can “sign up to receive notifications”
Click on “Define Filter” , where you can filter for the BI product suite.
Sign up for email notifications:
Defining the filter: Search for SBOP BI Platform (Enterprise)
And select the version:
Note that currently the search does not appear to filter on version unfortunately, so you will likely see all issues listed.
Your resulting filter should look something like this:
The security note listing will look something like this:
Understanding the security notes:
Older security notes have a verbal description of version affected and patches that contain the fix.
For example, the note will say “Customers should install fix pack 3.7 or 4.3″…
Newer notes will also have the table describing the versions affected and where the fixes shipped:
Interpreting the above, the issue affects XIr3.1, 4.0 and 4.1.
Fixes are provided on xr3.1 Fixpacks 6.5 & 7.2, on 4.0 SP10, and 4.1 SP4.
The forward fit policy is the same as “normal” fixes, meaning a higher version of the support patch line will also include the fixes.
The security note details will also contain a CVSS score. CVSS = Common Vulnerability Scoring System.
It is basically a 0 – 10 scoring system to give you an idea of how quickly you should apply the patch.
More info on the scoring system https://nvd.nist.gov/cvss.cfm
1. Vulnerabilities are labeled “Low” severity if they have a CVSS base score of 0.0-3.9.
2. Vulnerabilities will be labeled “Medium” severity if they have a base CVSS score of 4.0-6.9.
3. Vulnerabilities will be labeled “High” severity if they have a CVSS base score of 7.0-10.0.
In short, if you see a 10.0, you better patch quickly!
Not applying the latest security fixes can get you to fail things like PCI compliance, so after you have locked down & secured your environment, please make sure you apply the latest fixes and keep the bad guys out!