SAP System Recommendations (Security Notes/Hot Fix)
Very often it’s observed that whenever there is a very high priority security note (e.g. of CVSS 10 rating) is released by SAP, it catches an attention of all SAP customers and many questions/discussions taking place on various forums. One recent example is of SAP Note # 2934135 (released in mid-July’2020) regarding the threat of an unauthenticated attacker can potentially exploit the vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications.
In its code development lifecycle, SAP makes use of a variety of mechanisms to keep a very high level of quality. Unfortunately, hackers and security researchers find new attack methods over time. This makes fixing newly discovered vulnerabilities inevitable. The security maintenance of installed SAP software is key to continuously protect also against new types of attacks or newly identified potential weaknesses.
It’s always recommended to review all such high critical SAP Security Notes/Hot fixes proactively at regular interval (on monthly basis or so) to ensure secure and up to date SAP system landscape.
There are two ways to get information and recommendations about newly released SAP notes – one is from SAP support portal and the other one is with help of SAP Solution Manager. SAP System Recommendation function in SAP Solution Manager helps to check SAP landscape systems relevant notes & patches in order to keep all systems up to date. In this blog post, I have tried to consolidate various points of this topic along with latest additions (supplied with SolMan 7.2 recent SPS) in more details for an easy understanding. I have used reference screenshots from SAP Solution Manager 7.2/SPS09 system.
SAP Solution Manager – System Recommendations
System Recommendation application in the SAP Solution Manager to show relevant Security Notes (Hot News, Legal Change Notes, or Performance Notes) for an SAP System. It connects directly to SAP Support to download required security notes and monitor the status of notes implemented in systems through regular background jobs. This application works especially for ABAP, Java and HANA – and other SAP systems types which you can connect to SAP Solution Manager. You can use this application for your business systems like ERP, CRM, BW, Portal, as well as for infrastructure like XI, or the SAP Solution Manager itself.
Technical Pre-requisites at high level
To enable SAP system recommendation in Solution Manager system, technical pre-requisite is to register the systems at the System Landscape Directory (SLD) and define them as Technical Systems in the SAP Solution Manager. Then, we need to configure the application System Recommendation to calculate relevant SAP Notes.
SAP Note Categories
SAP system recommendations comprises different notes mentioned below;
SAP Security Notes
These notes are SAP’s expert advice regarding important actions and patches to ensure the security of customers’ systems.
SAP Security notes are SAP’s expert advice regarding important actions and patches to ensure the security of customers’ systems. The priority of an SAP Security Note is determined by its CVSS v3 base score (Common Vulnerability Scoring Systems). The Common Vulnerability Scoring System (CVSS) is an open and vendor-neutral framework for communicating the characteristics and severity of software vulnerabilities. It is designed to unify the approaches to risk assessment across multiple vendors. CVSS is under the custodial care of FIRST (Forum of Incident Response and Security Teams).
Based on feedback from customers, partners and SAP user groups, SAP has launched a regular SAP Security Patch Day, scheduled for the second Tuesday of every month — which has been synchronized with the Security Patch Day of other major software vendors. On these SAP Patch Days, SAP publishes software corrections as SAP Security Notes, focused solely on security to protect against potential weaknesses or attacks.
Starting June 11, 2019, for all new SAP Security Notes with high or very high priority, SAP delivers a fix for Support Packages shipped within the last 24 months*. This is extended from the previous Support Package coverage of 18 months.
SAP customer notes with priority 1 (very high priority) to resolve or avoid problems that can cause the SAP system to shut down or lose data.
Performance Relevant Notes:
These SAP notes containing information and corrections for performance improvement of SAP systems to help with stable system operations.
Legal Change Notes
These notes are released for the requirements caused by changes in legal regulation. “Legal Change” is just a classification indicating that these Notes may be required to maintain compliance with governing authorities in different countries.
Systems Measurement (License Auditing Notes)
As of SAP Solution Manager 7.2/SPS08, System Recommendation is able to present additionally the note type “License Audit Notes”. The notes are calculated based on the definition ‘Relevancy for System Measurement’ in section ‘Attributes’ of the notes
Login to SAP Solution Manager system -> run transaction code “sm_workcenter” -> in the fiori launchpad, select “Change Management” -> tile “Systems Recommendations”
It shows high level view of recommended SAP notes for each system types in the landscape
By selecting a system, it shows additional details like; recommended SAP note number, type, released date, status in the system etc.
For each SAP note selection, there are additional reference details like pre-requisites notes, side effect notes etc. in order to prepare proper implementation plan
Additionally, there is an option in “Systems Recommendation” to directly create Request For Change (RFC) for the selected notes by integrating SAP Solution Manager ChaRM functionality.
This way it helps to Manage and track the workflow of an SAP Note implementation.
System Recommendation option in Solution Manager provides comprehensive recommendations for the whole system landscape. It’s always recommended to review latest released security notes/hot news at regular internal and plan timely actions to ensure secure, up to date, healthy running system.