Security Patch Process FAQ

Frank_Buchholz · ‎03-27-2012

Do not use RSECNOTE anymore - its content is outdated and incomplete - use System Recommendations!

1. Where do I find SAP Security Notes?

Landing Page SAP Security Notes

https://support.sap.com/securitynotes
→ Access Security Notes in the SAP ONE Launchpad
https://launchpad.support.sap.com/#/securitynotes
[This a filtered list of Security Notes.]
→ All SAP Security Notes
[This is the complete list of all Security Notes.]

Search for SAP Security Notes

https://support.sap.com/notes
→ Expert Search
https://launchpad.support.sap.com/#/mynotes?tab=Search
with filter Document Type = SAP Security Notes
[This is the complete list of all Security Notes.]

These pages show security notes published by SAP. To find security notes about other components like the operation system, network or the database you should scan other sources like NIST, too.

On the Landing Page you can find another FAQ showing additional aspects on security notes.

2. Where do I find an overview about security services including the management of security notes?

A presentation about Security Patch Processes is available at the

Landing Page SAP Security Optimization Services Portfolio

https://support.sap.com/sos

→ "SAP CoE Security Services - Security Patch Process" (Adobe PDF)

You can access the file via the Media Library as well. There you find the (old) documents "Arbeitspapier SAP Security Patch Day" (German) or "Working Paper SAP Security Patch Day" (English), too.

3. Where do I find information about the application “System Recommendations”?

Landing Page System Recommendations

https://support.sap.com/sysrec

4. Where do I find information about the application “Configuration Validation”?

Overview
see http://wiki.sdn.sap.com/wiki/display/TechOps/ConfVal_Home

Reporting the results of System Recommendations using Configuration Validation
see http://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Reporting_SysRec

How to use System Recommendations to create target systems containing SAP security notes
see http://wiki.scn.sap.com/wiki/display/TechOps/ConfVal_Target_SysRec_OnlineRec

5. There are so many security notes which are relevant for my systems. How should I start implementing them?

Start with the very high and high priority notes shown by the application “System Recommendations”. You may concentrate first on notes having automatic correction instructions for the Note Asisstent, transaction SNOTE, only but no othe manual instructions.

6. What is the difference between the various lists of security notes?

All security notes are published on the Support Portal. Different applications show different selections of security notes.

The page /securitynotes in the SAP ONE Launchpad shows notes according to the defined filter. We recommend to use this option only if your systems are registered in the Service Marketplace to get an automatic filter. The filter does not consider if a note is already applied in the system.

The complete list of all SAP security notes is shown on the page /securitynotes → All SAP Security Notes in the SAP One Launchpad. Here you find all security notes for all SAP products, including ABAP, Java, TREX, HANA, SYBASE, SAPGUI, etc.

The application System Recommendations in the SAP Solution Managers shows these security notes which are relevant for a given system according to the installed software components, release, support package and patch level and if the note if already installed using the ABAP Note Assistant. You could produce a result for all systems which are registered in the SDN/LMDB of the SAP Solution Manager.

7. There are quite different security notes. How should I start classify them to optimize the implementation process?

We suggest that you classify the notes into following groups each building a separate work list for implementing security notes. Do not forget the 4^th group.

Implementation as part of a monthly standard patch process
e.g. for ABAP Correction Instructions or ABAP software-like manual corrections

Implementation as part of a project
e.g. for notes about other components or other manual instructions

Implementation as part of maintenance activities
e.g. Support Package upgrade, Kernel upgrade, Java upgrade

Implementation after maintenance activities
e.g. manual instructions which require a Support Package upgrade or Kernel upgrade as a prerequisite

8. What are the main steps which should be covered by a monthly security patch process?

We suggest to run following steps as part of a monthly security patch process:

At the end of the SAP Security Parch Day you can inspect the updated list of Security Notes on the page /securitynotes in the Launchpad respective Service Marketplace. Here you see the complete list of all Security Notes.

Use the application System Recommendations to check which of the Security Notes are relevant for the various systems of your system landscape. (Usually you have scheduled the check as a weekly background job.) You can create change requests directly from that tool.

Whichever source of information you use (we propose to use all of them), you will run a Risk Assessment concerning the criticality of the Security Note as well as concerning the risk of applying a change which might touch productively used business processes. As a result you decide which Security Notes should be applied as part of a monthly patch cycle and which will be part of the next maintenance cycle.

Using the application Configuration Validation you can create a report which checks which systems comply with your security policy. Therefore you add all notes which should be installed into the target system definition of the Configuration Validation.

Within the current month you apply the selected Security Notes and you run regression tests (if necessary) to ensure productively used business processes are working properly.

As part of the next maintenance cycle you will update the Kernel, apply Java Patches and ABAP Support Packages. As part of this update you will get the corrections of the Security Notes, too. However, some of the Security Notes describe configuration changes which you can apply now as well. While working on the update it might be the case that you will get new Security Notes from newer Patch Days. You should include these if possible. Finally you run a complete test of your business processes.

9. deleted

10. I’m responsible for many systems (ABAP and non-ABAP). How can I create a cross-system report on the results of the application System Recommendation?

There are several options to produce a cross-system report on SAP Solution Manager 7.1:

Export the list shown by the application System Recommendations to Excel and combine the results from different systems. There are two different file formats for Excel: a) Using the Application Component View or the Software Component View and b) using the List View.

Use the code-exchange report ZSYSREC_NOTELIST to produce a cross-system report. This reports simply shows the already existing results of System Recommendations on a list. See Blog Report ZSYSREC_NOTELIST - Show results of System Recommendation
and offers a cross-system option to maintain the System Recommendation status.

As of SAP Solution Manager 7.10 SP 3 you can use the built-in BW reporting capabilities of the application System Recommendations

The SAP Solution Manager 7.2 shows a cross-system view on relevant Security Notes.

11. Do I have to implement security notes for all components which are installed in a system even if I do not use any function from a component, e.g. FI notes in an HR system?

Yes, if a software component exist in a system than it has to be fixed even if you do not use the function. The reason for this is simple: An attacker might be able to misuse the security vulnerability. Well, in case of unused components you can implement the note using reduced tests as you only need to test productively used business processes.

There exist an exception: Often you cannot implement notes for switched components like industry add-ons if the switch is not active. Omit such notes it they fail in transaction SNOTE. Usually you find a hint in the note describing that a switched component gets patched. Use transactions SFW3 and SFW5 to verify the status of switches.

Here's the list of software components having candidates of such notes:
ECC-DIMP
FI-CA
FI-CAX
INSURANCE
IS-CWM
IS-H
IS-M
IS-OIL
IS-PS-CA
IS-UT

12. How to test the implementation of security notes?

You do not need to test if the security vulnerability is solved – this is the task of SAP – however, you should test if your productively used business processes are still working. Here are some (insufficient) tips:

Some notes describe that obsolete but critical functions get deactivated. In such a case you can implement the correction directly

Some notes describe corrections about authorization checks. Have a close look to the correction instruction to identify the authorization object to decide if you have to run tests for users who should have or not should have authorizations for this authorization object.

Have a close look to the correction instruction to identify the report, program, function etc. which gets touched by the correction.

As of SAP Solution Manager 7.10 SP 5 you can use the integration between the application System Recommendations and the Bussiness Process Change Analyzer (BPCA) to identify business process steps which might be affected by a note.

If the implementation of the security patch is part of a Kernel update, or of a Java patch or ABAP Support Package maintenance activity, than you do not need special test procedures because of the security patch as you are going to test anything anyway.

For ABAP notes containing automatic ABAP correction instructions you have the additional option for individual implementation which might lead to an individual test.

As the text of the note usually does not contain anything about the business risk of implementing the note or about recommended test procedures, it’s up to you to prepare required tests.

Further recommendations to analyse the business risk of implementing security notes:

1. Have a look to the application component.

Does it belong to the basis, a framework used by applications or an application itself?

Do you use this application productively in business or only by basis team or not at all?

2. It’s very valuable to have a close look to the automatic ABAP correction instruction because here you see what get changed:

Which objects get touched (you can get this information in the System Recommendations tool as well)?

Is it a small or a large change?

Is it just about deactivation of obsolete but critical code of the whole function or a part of it?

Are there any new authority checks (-> note the authorization object) or calls to function FILE_VALIDATE_NAME (-> note the logical file name)?

Is the change related to the normal flow of the program or is it about exceptional cases?

3. Run a test implementation using the Note Assistant, transaction SNOTE, to get the list of truly required prerequisite notes (but do not apply the note yet).

Do you have to apply prerequisite notes (which might contain other functional changes)?

Best practice reported by customers:

1. Reduce or omit testing if

the change is related to applications which you do not use

the change just deactivates obsolete but critical code

the change is very small, has no prerequisites and does not touch the normal flow of the program

the change may hurt basis team only but does not have any influence to business

has no manual steps

2. Increase analysis and testing effort if item 1. does not match mainly because

the change is complex, has prerequisites or manual steps

touches the normal program flow of used business functions within applications which are important for business

anything else

13. How to find prerequisite notes which will be implemented prior to the implementation of a ABAP security note?

You have to start the process of implementing a note using the SAP Note Assistant to get detailed information about prerequisite notes. Have a close look to these prerequisite notes to find additional manual correction instructions which are mandatory.

14. What should I do if I run into trouble while implementing a security note?

Please create a support ticket on the component of the note.

15. Can I use the same transport containing security note corrections for all systems?

No, you have to implement every security note independently in every DEV-TST-PRD transport landscape.

16. Can I automatically implement security notes using the application System Recommendation? Is there any remote-implementation function within System Recommendations?

No, you have to implement every security note manually in every DEV-TST-PRD transport landscape. If you are responsible for many DEV systems than you have to implement notes several times.

As of SolMan 7.1 SP 5 you can ease the first step of the implementation, as it's now possible to select notes in System Recommendations and download them automatically into the Note Assisant of a DEV system.

17. The security note forces me to modify repository objects manually (dictionary object, programs, messages, etc.) but this requires developer skills, a registration key and produces some trouble during the next support package upgrade. What should I do?

[I’ve no good answer yet. At least I always would omit the modification of messages - than you would get just the message number but not a text, however, I believe that's better than modifying repository objects.]

18. deleted

19. Do I need special handling of "Update Security Notes"?

Update notes describe or contain extensions or corrections on original notes. Depending on the type of the note you can optimize the handling of these notes - especially if you are using the application System Recommendations as these tools automatically consider changed original notes:

If the update note describes that an original note was extended or updated you can ignore the update note as the application System Recommendations will show the original note again.
Usually such update notes are marked as "SP independant" in the application System Recommendations. Switch to the software component view to see this classification.

If the update note contains the extension or correction, well, than you can treat such an update note as any other note: implement it according to your security patch policy. System Recommendations will show the note as "SP specific" if it's relevant for the system.

20. Do I need special handling to find security related SAP notes concerning the database (or other areas which are not directly related to ABAP or Java)?

Most security related notes about databases (except for HANA) are not classified as “Security Notes”.

Therefore, the notes are not listed on https://support.sap.com/securitynotes

Therefore, the notes are not listed by application System Recommendations

You have to find such security related notes via other channels.

Let's have a look to an example: If you search at https://support.sap.com/notes for notes containing the term "CVE" within the application component BC-DB-ORA, than you'll find some security related notes for the database (1753297, 1714255, 1714667) which are not SAP Security Notes listed at https://support.sap.com/securitynotes. Using the search term "security" you find more notes, e.g. 1710997, 157499, showing important information about security aspects of the database. Therefore you should keep on looking at https://support.sap.com/notes and you should not forget to scan other sources like NIST to find security notes about the the operating system, network components or the database etc.

Central notes for Oracle:

Note 1868094 - Overview: Oracle Security SAP Notes (updated on 03.12.2013)
This note lists ~60 security related notes

Note 850306 - Critical Patch Update Program (updated on 25.11.2014)
This note lists ~30 critical patch notes

Other sources about secure configuration of Oracle databases:

White Paper: Database Security for Oracle from 2012

SAP NetWeaver Security Guide - Oracle on Windows

SAP NetWeaver Security Guide - Oracle on UNIX

21. How do I use the Note Assistant, transaction SNOTE, efficently?

Preparation:

Get the latest version of the Note Assistant (see http://support.sap.com/note-assistant ) and watch out for correction notes about the Note Assistant which belong to the application component BC-UPG-NA.

Tipp:You can use the application System Recommendations to search for correction notes of this component as well.

1. Step: Create Worklist

Use the application System Recommendations to produce the worklist, e.g. using the user-status filter and the export-to-Excel feature. Finally put a list of notes into the clipboard.

2. Step: Download Notes

Call transaction SNOTE → Download SAP Note (Ctrl+F8) or submit report SCWN_NOTE_DOWNLOAD
→ Multiple Selection
→ Upload from Clipboard (Shift+F12)
Go back and start the download

3. Step: Install Notes

Call transaction SNOTE -> SAP Note Browser (Ctrl+F9) or submit report SCWN_NOTE_BROWSER
→ Multiple Selection
→ Upload from Clipboard (Shift+F12)
Go back and save the selection as a report variant
Start the implementation

22. deleted

23. What should I do if I cannot download a note into SNOTE?

Sometimes you run into trouble while downloading large notes in transaction SNOTE, like for the security note 1826162 from July 2013. (In addition this note requires another large note 1674132, too.)

In such a case use the download basket to get the note:

Show the note on SAP Support Portal, e.g. https://launchpad.support.sap.com/#/notes/1826162

Use the button "Download Corrections". You get a new window showing a log.

Repeat 1. and 2. for more notes, e.g. note 1826162 requires other note 1674132

Use the button "Download Basket" on the log window to show your basket

Click on every link for the selected notes to download the file via the internet browser (You could try to use the SAP Download Manager, however, this might not work as it uses the same interface like SNOTE.)

Un-zip the archive files which you have downloaded

In transaction SNOTE use the menu path Goto → Upload note to load the note(s) one by one - or use report ZSCWN_NOTES_UPLOAD to load multiple note files

Implement the note as usual

Another advantage is, that you can use the same files for uploading notes into several development systems without downloading them again and again.

24. How should I deal with security notes during a release or support package upgrade?

As part of any upgrade you should get information about required Security Notes.

SAP recommends to use

the application Maintenance Optimizer (MopZ) step 4 before respective

the application System Recommendations after

running the technical release or support package upgrade to get the list of required security notes.

In general I do not recommend to select notes by date because even old notes can be relevant. (Use a selection for the date only if you want to see new notes e.g. of the most recent patch day.)

However, you will see following typical result using the list view in System Recommendations after implementing the latest support package (which is some weeks or even month old concerning SAP development closing):

a) There are few new security notes having automatic correction instructions

b) There are one hundred ore more old security notes without automatic correction instructions which still show up in System Recommendations.
Obviously you should implement notes of group a) at once as it's much cheaper to include them as long as you haven't started application testing than implementing them later.

Notes of group b) are more difficult: First you have to decide if they are in fact still relevant - it might be the case that this is not the case any more but System Recommendations simply cannot judge about this. Therefore I would agree if you work through this list from new to old skipping the very old ones.

25. Security notes of software component ST-PI do not seem to show up in System Recommendations. How can I find them?

The application System Recommendations checks all notes if they are relevant for a technical system which is registered to the SAP Solution Manager(*). However, the tool relies on the completeness of meta data within the notes (validity rages of the note, assigned support packages, validity of correction instructions).

Notes about software component ST-PI tend to have incomplete meta data (because of some limitations in the correction workbench used at SAP) but describe the complete validity range in the text - which cannot be interpreted by System Recommendations. Example: "Apply Support Package ST-PI 2008_1_* SP08." The "*" indicates that all releases are affected.

To cover such notes you should inspect the page https://support.sap.com/securitynotes and search for notes of application component SV-SMG-SDD (which is related to software component ST-PI). Currectly, November 2013, you would find 17 notes this way.

(*) This means as well, that security notes which refer to software which is not part of a technical system cannot be shown by System Recommendations (SAPGUI, database, ...).

26. deleted

27. Tips for filtering within System Recommendations in SolMan 7.1

Before being able to use the filter you need to switch it on. See the Filter button on the far right of the table.

(By the way: Using the Setting button you can change the layout of columns, choose sorting and filtering etc. and you can store these settings.)

The filter for notes requires leading zeros, but it's easier to use a pattern: *1234

The filter for priorities requires always a condition to cover trailing spaces:

HotNews: 1*
High: 2*
HotNews and High: 1*;2* or ❤️
Medium and Low: 3*;4* or >3 (yes, that's correct as there are trailing spaces)

The filters for automatic and manual correction instructions use X respective ' ' (space)

Use a pattern to filter Release Independent Notes: e.g. *indep* (the default settings as described above define filters as case insensitive)

Disclaimer: I do not know the complete truth about filtering in WebDynpro ABAP. This tipp simply describes what I've figured out so far.

28. SysRec requires an RFC destination to download notes to SNOTE

Using System Recommendations you can download selected notes directly into the Note Assistant, transaction SNOTE, of a managed ABAP system.

Prerequisites:

You view the results of a development system (but not of a production system)

The Solutions Manager is able to use an RFC destination pointing to the managed system which allows to download notes.

By default, System Recommendations tries to use the Trusted-RFC-Destination which was defined during Managed System Setup. However, you can override this selection using customizing settings as described in note 1796439 - SysRec: Download SAP Notes via desired RFC destinations:

To maintain Service Desk Customizing use transaction DNO_CUST04 (or call transaction SM30 for table DNOC_USERCFG).

System Recommendations uses following keys:

SYSREC_RFC_TYPE

Short text: Type of default RFC destination (TRUSTED, CUST_LOGIN, ...)

SysRec searches the list of RFC destinations defined during managed system setup to find a destination which match to this type. Useful values are TRUSTED (default) or CUST_LOGIN.

SYSREC_RFC_<SID>

Short text: Specific RFC destination

SysRec uses this destination to connect to the managed system .

SYSREC_CLIENT_<SID>

Short text: Default client

Tipp: Even if the customizing table allows user specific entries we recommend to create user-independent entries only.

29. What is the difference between Patch Day Notes and Support Package Implementation Notes?

see Announcement from July 8, 2013:

SAP delivers important security fixes on its monthly Security Patch Day. SAP strongly recommends its customers to implement security fixes, flagged with priority 1 and priority 2, primarily fixing externally reported issues. The fixes are released on the second Tuesday of every month, and can be used to fix a particular vulnerability without needing to update a system to service packs.

In order to further reduce the implementation efforts for our customers, other security fixes like priority 3 and 4 will generally be delivered with support packages. SAP strongly recommends its customers to apply Support Packages on their systems as soon as a support pack is available. The Support Packages can be found on SAP Service Marketplace in the corresponding product area. Information about these improvements will also be published in security notes with priority 3 and 4 some months after Support Packages have been released.

Patch Day Notes

SAP Security Notes published on and for Security Patch Day

Contain important security corrections

Very often address security issues reported from external sources

Have CVSS scoring in most cases

Support Package Implementation Notes (SPIN)

Typically address security issues of minor impact found SAP internally

Should not be published in the first place but just be contained in future Support Packages

But, had to be published outside Support Packages and outside the Patch Day schedule because some customer production issue for which the solution requires to implement the note first

Might be published on Patch Day dates as well

From mid of March 2014 until Summer 2016 you were able to select Patch Day Notes and Support Package Implementation Notes separately on SAP Service Marketplace.
Now you cannot see this classification anymore on the SAP ONE Launchpad.

Finally, let's have a look to the customers point of view:

Are Support Package Implementation Notes really different ... as soon as they are published?

-> Well, the bad guys can read these notes as well developing exploits based on the ABAP correction instruction, therefore, use CVSS, priority and your own risk assessment to judge about notes but don’t use the type as a major differentiator.

30. Required authorizations to use System Recommendations

First of all you need access to Work Center "Change Management" (if you don't use the corresponding WebDynpro application directly).

To control access to System Recommendations, the authorization object SM_FUNCS in SAP Solution Manager 7.1 (or SM_TABS in SAP Solution Manager 7.0) can be used to grant or deny access to the different tabs of System Recommendations. Use the fields ACTVT=03, SM_APPL=SYSTEM_REC, SM_FUNC=tab (i.e. SECURITY).

You can restrict access to the systems of specific solutions using the authorization object D_SOL_VSBL with SOLUTION=solution id and ACTVT=03.

Depending on the version of the Solution Manager, authorization object AI_LMDB_PS with ACTVT=03 and LMDB_NAMES=ACTIVE and PS_NAME=system id controls access to individual systems as well. These authorization objects are the minimal set which you need to execute the WebDynpro application directly.

See chapter 16.6 "System Recommendations" and 13.14.2 "User Roles for Solutions, Projects, Solution Directory" in the documentation → Operations → Security Guide SAP Solution Manager 7.1 SP14.

By the way:

Tracing for authorizations using transaction STAUTHTRACE shows many more authorization objects, which get checked e.g. to verify if you can use the CharM integration etc. Most of them are optional concerning the basic view within System Recommendations.

This Wiki shows an overview about authorization objects used in different scenarios of the SAP Solution Manager.

31 a. How to send e-mails with results of System Recommendations via BW Broadcasting on SolMan 7.1

In SAP Solution Manager 7.2 this function is not supported anymore, as the broadcaster 3.x is not supported for BW 7.4 and higher.

See Note 2044155 - BEx Broadcaster 3.x is no longer supported

Prerequisites

You are using SAP Solution Manager 7.1.

To send reports by e-mail, you use the standard functions for BW Web Templates, which require only that your BW system (= Solution Manager) is connected to your e-mail communication.

More information:

SAPconnect (BC-SRV-COM)

External Sending in the SAP System

General information about sending BW object as e-mails: Broadcast by E-Mail

You need note 1880710 "3.X Broadcaster sends empty document" (pilot release) of component BW-BEX-ET-BC if your Solution Manager runs with SAP_BW 702 SP 10-14 to be able to enter lower case selections e.g. for area = "Security".

Configuration

Call the BW report that you want to send by e-mail, and choose the desired settings for the time interval and the systems to be displayed. Create a Bookmark URL which you later can add to the e-mail text.

Ensure that you call the reports with the user under whose name the e-mails are to be sent. Ensure that this user has a working e-mail address in his or her user data (transaction SU01).

Right-click any active area of the BW report to display the context menu, switch to the Extended Menu and choose Distribute ->By E-Mail.

A new screen now appears, on which you can make settings for the sending of the e-mail. If you have not yet created appropriate settings, choose Create New Setting. Either create the settings manually or using the wizard.

You can define the title and text of the e-mail here, and to whom it is to be sent:
- In the Description input field, enter a meaningful description of the settings.
- If you want to send the report directly as part of the e-mail, and it is to be displayed directly in the e-mail, choose the Output Format MHTML.
- You can select recipients using their user names in the system or their e-mail addresses. You can also define the recipient list using roles. Separate multiple recipients with semicolons.
- On the Texts tab page, you define the title and text of the e-mail. Note that the e-mails only contain the BW Report itself, that is, they do not contain the selection elements (report name, time interval, and system ID). Create an e-mail text so that the report can be understood without this information.
- If, in addition to viewing the sent BW report, the recipient should be able to directly access the BW report interactively, insert the relevant Bookmark-URL in the contents of the e-mail.
- Leave the data on the General Precalculation and Filter Navigation tab pages unchanged.

Choose Save, and specify a technical name for the settings.

Options for Sending

If you only want to send this report once immediately, choose Execute; however, it is more likely that you will want to send the report automatically at regular intervals. In this case, choose the Schedule button.

You define the scheduling on a new screen. To create a new periodic schedule, activate the two indicators Create New Scheduling and Periodic…. Now select the desired period and the next start time.

Choose the Transfer button, and save your changes. You have now completed the scheduling. The desired recipients will now regularly receive the desired reports.

Credits for this part go to the blog dirk.jenrich/blog/2009/12/08/it-performance-reports-in-your-inbox--stay-informed-any-time-anywhere which I had used to compile the text.

31 b. How to send e-mails with results of System Recommendations via reports on SolMan 7.2

As of SolMan 7.2 SP 3 you can send results from Configuration Validation and from System Recommendations via email using new reports which you can schedule as background jobs:
Configuration Validation: DIAGCV_SEND_CONFIG_VALIDATION
System Recommendation: DIAGCV_SEND_SYSREC

See Note 2427770 - Configuration Validation: Sending compliance results via email

On SolMan 7.2 SP 3-4 you have to install note 2401878 after installing note 2427770.

Example for report DIAGCV_SEND_SYSREC

Selection Screen:

Result:

32. How to download latest Java patches using System Recommendation

KBA Note 2041071 shows how to download latest Java patches using System Recommendation.

33. How to optimize results of System Recommendations about Kernel notes

Starting from Solution Manager 7.1 SP 5 the kernel information for the managed system has to be synchronized into LMDB in order for System Recommendation to filter out non-relevant Kernel notes.

According to KBA Note 2023342 perform following steps:

Refer to note 1717846 and 1018839 for kernel registration (Krnlreg for all technical instances) in SLD.

Ensure that synchronization between SLD and LMDB is carried out so the kernel info of the managed system is synchronized into LMDB.

Check the software component list of the managed system in transaction LMDB and ensure that the kernel information is listed showing release and patch level.

34. How to run cross-system reporting on System Recommendations results on SolMan 7.1

The SAP Solution Manager offers cross-system BW reporting showing results from System Recommendations. You do not need any specific preparation like activating BW content as a virtual data provider is used which is available out of the box.

Execute cross-system BW reporting via System Recommendations
- Show System Recommendations for a system and use the link "System Recommendations Reporting" on top of the results
- The BW query will be executed with default selections (which is usually not what you want to do):
  All systems of the solution will be selected
  Data from all areas (Security, HotNews, Legal Change, Performance) will be selected
- You can change the selection afterwards within the BW report via "Right click -> Enhanced menu -> Variables Entry" on any active element

Execute cross-system BW reporting via Configuration Validation (offering the selection screen first)
- Start application Configuration Validation via same Work Center "Change Management" (you find the link at the bottom of the left navigation pane)
- Choose tab "Report Execution -> Reporting Templates"
- Choose tab "Configuration reporting"
- Optional: Select a system list for comparison (if you have defined one)
- Select configuration report 0TPL_0SMD_VCA2_SYS_RECOM_NOTES "System recommendation reporting (missing SAP Notes calculated from system recommendations)"
- Finally enter selections about systems, area (Security, HotNews, Legal Change, Performance), notes (as of SolMan 7.1 SP 9 there is a quite useful checkbox "Allow to paste note numbers") or date ranges

Execute cross-system BW reporting via URL
- Construct a URL which shows the selection screen of the query:
  http(s)://<server>:<port>/sap/bw/BEx?QUERY=0SMD_VCA2_SYS_RECOM_NOTES&CMD=PROCESS_VARIABLES&VARIABLE_SCREEN=X
- Execute this URL or store it as a favorite in your browser

... or use classical SAPGUI-ALV reporting via customer report ZSYSREC_NOTELIST

35. System Recommendations does not show any usage procedure data (UPL)

SysRec can show usage procedure data as of SolMan 7.1 SP 10 on the popup which shows the object list of selected notes. (As of SolMan 7.1 SP 12 it's much easier to switch on UPL.)

You can use this information to decide about the required test effort, e.g. based on rules like these:

If the usage count is zero in production systems you can assume that the note corrects unused code which might allow you to skip explicit testing.

If the usage count is quite high in test systems you can assume that the corrections will be tested implicitly if the correction stays there for a while. Again, you might skip explicit testing.

While preparing demo environments to show UPL data I had observed some obstacles.

If you do not see the additional column in System Recommendations -> Object List or if you get zero results only:

Check if UPL is active in managed system:
- Report /SDF/UPL_CONTROL should show an active status.
- Report /SDF/SHOW_UPL should show some data (run it for a previous day to get results faster).

Check if SolMan gets usage data:
- BW-Query 0SM_UPL_DATE_RANGE_BPCA respective 0SM_CCL_UPL_MONTH should show some data.
  Keep in mind that it takes some time (up to 2 days) to replicate usage data into these queries.

Check if SysRec can retrieve the object list of notes:
- Update from 2.12.2014: On SolMan 7.1 up to SP 12 you need to implement note 2099728 first.
- The application log AGS_SR of SysRec in transaction SLG1 should not show error "Assigned S user and RFC user of destination are incompatible".
  Ensure that there exist a valid entry in transaction AISUSER which connects your user to a valid S-user (see KBA note 1794131).

If you cannot solve the issue by yourself then raise a ticket:

If UPL is not working as expected ask for advice via application component SV-SMG-CCM-CDM

If SysRec does not show existing usage data, create a ticket on application component SV-SMG-SR

If report ZSYSREC_NOTELIST does not show existing usage data, send me a mail or comment on the blog

36. How can I get additional information about recent security notes?

Frank Buchholz from the SAP Active Global Support department Security Services, runs regular webinars in different time zones and in English and German about recent security notes and presents tips about using the tools like System Recommendations efficiently.

You can find the presentation of this regular webinar on the Service Marketplace as well: SAP Security Notes Webinar (pdf).

Hosted by ASUG Security SIG:

"Join the SAP Security Expert, Frank Buchholz, SAP CoE Security Services for a monthly webcast series detailing "What’s new about SAP Security Patching". This interactive series will be held on the Wednesday in the week after a PatchDay at 12:00 p.m. ET. Mark your calendars and consider joining us for an on-going conversation about SAP Security."

Hosted by DSAG AG SAP Security Vulnerability Management:

"Wir möchten Sie zu unserem regelmäßigen Webinar einladen, in dem ausgewählte SAP Security Notes diskutiert werden, die mögliche Schwierigkeiten beim Einbau mit sich bringen könnten oder die nicht klar einschätzbar hinsichtlich betroffener Komponenten oder Auswirkungen sind.

Das Webinar findet monatlich in der Regel am Mittwoch in der Woche nach dem PatchDay von 14:00 – 15:00 Uhr statt.

Folgende Themen sind geplant:

- Tipps und Tricks zur Interpretation und zum Einbau ausgewählter Sicherheitshinweise der letzten 2-3 Monate

- Fragen an die Experten"

37. How to transport note implementation status for SNOTE for notes which cannot be implemented via SNOTE?

Let's assume you want to transport the note implementation status for all ABAP notes to the production system. That's easy for roles having automatic correction instructions only, but what if a note just contains a description or a manual instruction, e.g. to maintain customizing, profile parameters or authorization roles?

Well, if you set the processing status manually in transaction SNOTE you get no transport order. However, you can create the transport manually:

Preparation: Ensure that note 1788379 is installed in the system.

1. Load note into transaction SNOTE. You observe that you cannot implement a note if there is no automatic correction instruction.

2. Set processing status manually to ‚completed‘. (This is different from the implementation status of SNOTE which remains to the value "Cannot be implemented".)

3. Run report SCWN_TRANSPORT_NOTES to add notes to an existing or new transport. You can use this report if the note contains some correction instructions.

Manual transport (for notes without correction instructions): Create workbench-transport or transport-of-copies and add the transport keys manually (including leading zeros). Example:

R3TR NOTE 0001584548
R3TR NOTE 0001628606
R3TR NOTE 0001631072
etc.

4. Export the transport and import it into the target system.

You will see the following in the transport log (table CWBNTCUST contains the processing status in field NTSTATUS and the implementation status in field PRSTATUS😞

    Start export R3TRNOTE0001584548 ...

    1 entry from TADIR exported (R3TRNOTE0001584548                              ).

    3 entries from CWBNTCI exported (0001584548*).

    0 entries from CWBNTCONT exported (0001584548*).

    1 entry from CWBNTCUST exported (0001584548*).

    3 entries from CWBNTDATA exported (NT0001584548*).

    […]

End of export R3TRNOTE0001584548

5. Run the note browser of SNOTE, report SCWN_NOTE_BROWSER, and validate the processing status.

6. With the next run of SysRec‘s background job the note will vanish from the result list. System Recommendations does not use the processing status which you have set in SNOTE manually - it only considers the implementation status E = "Completely implemented"

38. System Recommendations in SAP Solution Manager 7.2

Here is the overview about the main improvements of SysRec in upcoming release SAP Solution Manager 7.2:

User Interface based on Fiori

You can store individual views with selections as Fiori tiles

Cross-system view and cross-system status and comment management

Customizing for status values, i.e. to create different work lists for implementation

Status with history and cumulative comments

Hide Application Components which do not match to used DB or OS installations

General Customizing and Personalization

You find an overview about the new features at

https://support.sap.com/sysrec

→ Usage, configuration and customizing of System Recommendations in SAP Solution Manager 7.2

39. SAP Note Enhancer: Syntax highlighing of ABAP Code Instructions

The Google Chrome extension respective Firefox User Script "SAP Note Enhancer" enhances the visualization of correction instructions of notes when viewed in the SAP Marketplace or in the Launchpad.

The ABAP portions of the correction instructions are highlighted and the background of insertions and deletions are shown in different colors.

This makes it easier to understand the involved code changes.

See the blog of the developer:

http://scn.sap.com/community/abap/blog/2015/06/28/chrome-extension-to-highlight-abap-correction-inst...

Get it here:

https://chrome.google.com/webstore/detail/sap-note-enhancer/keibkcomemkcceddcddjdlncidohgedk

40. The 18-Month-Rule

SAP provides security corrections for all product releases which are in maintenance according to the Product Availability Matrix (PAM) .

These security corrections are always part of “Support Packages” (respective “Revisions” for HANA).

SAP produces Security Notes including “Correction Instructions” (in case of ABAP) respective “Patches” (in case of Kernel, Java, or HANA), too. The overall validity range for corrections in such Security Notes is defined by the so-called “18 month rule” as defined with the introduction of the SAP Security Patch Day in September 2010:

Regular SAP Security Patch Day Launched 13.09.2010
https://service.sap.com/~sapdownload/011000358700000968302010E/news-patchday.htm
[…]
On the SAP Security Patch Day, we will provide the fixes in form of notes on SAP Service Marketplace. Security fixes for SAP NetWeaver based products are also delivered with the support packages for these products. For all notes with high or very high priority we provide this service for the support packages from the last 18 months.
[…]

On the other hand, there exist a general 12-month rule as well:

https://support.sap.com/sp-stacks
[…]
SAP recommends regular application of these SP Stacks at least once a year so that all corrections can be implemented. To optimize quality, we ask customers to heed the minimum requirements, and apply the Support Packages and patches specified in the SP Stack together.
[…]

Security corrections are created just like other corrections, therefore, this rule is in operation for Security Notes as well.

Limitation: Corrections for internal found security vulnerabilities with hight (since mid of 2016), medium, or low criticality may only be part of support packages respective revisions but may not have a published security note. You have to upgrade the support package respective revision to get these corrections.

Conclusion:

Correction Instructions respective Patches are not necessarily created for support packages respective revisions which are older than 18 month. You have to upgrade the support package respective revision to get these corrections.

ABAP:

Usually it is easy for the developer of an ABAP correction to provide correction instructions for all / most support packages for all active releases without any additional work. Therefore you can observe that most security notes for ABAP contain valid correction instructions for old support packages, too. However, if this is not possible due to technical limitations then the developer can restrict the validity of the correction instruction to newer support packages only.

Kernel:

For the Kernel, we create patches for the releases which are in maintenance. If a security note does not offer a patch for the Kernel release of your system, then you need to upgrade the Kernel release. (All releases up and including 7.20 are out.)

See

SAP Kernel: Important News
http://scn.sap.com/docs/DOC-53415

Note 1969546 - Release Roadmap for Kernel 74x and 75x

Note 1975687 - SAP Kernel 7.21 (EXT) replaces SAP Kernel 7.20 (EXT) as standard kernel in Q1/2015

Note 787302 - Maintenance for SAP kernels seems to end too soon

Java:

For Java, we create patches for the last 2-3 SP per release according to the 18-month-rule. If a security note which match to the an installed software component release does not offer a patch for the support package of your system, then you need to upgrade the support package.

HANA:

You need to update the revision. As of SPS 12 there exist maintenance revisions in addition to full release revisions.

Note 2378962 - SAP HANA 2.0 Revision and Maintenance Strategy

Note 2021789 - SAP HANA 1.0 Revision and Maintenance Strategy

41. When should I check for new Security Notes?

The Patch Day happens on every 2nd Tuesday per month. Nowadays the publication of new security notes which are part of a Patch Day is triggered automatically on Tuesday right after midnight in CET timezone.

You can schedule the background job SM:SYSTEM RECOMMENDATIONS of application System Recommendation accordingly.

Exceptions:

Security Notes with very high priority like HotNews can be published on any date.

Security Notes with low or medium piority (aka Support Package Implementation Notes) can be published on any date i.e. if they are a prerequisite to implement other correction notes.

42. How-to find Security notes for Web Dispatchers?

You can register a Web Dispatcher at the SLD, connect it to the SAP Solution Manager as a technical system with system type WEBDISP, and enable it in System Recommendations. This way you get some recommendations about the Web Dispatcher.
However, I guess to get a complete picture about security of the Web Dispatcher you need more than that.

Keep in mind, that the Web Dispatcher

rarely gets connected to the SolMan as described above,

could be used in front of ABAP, Java, and HANA systems,

is a component which is independent from the Kernel,

in case of HANA it is an internal part of HANA,

it is very similar to the Internet Communication Manager (ICM) which is part of the Kernel, and

usually requires not only software updates but requires configuration as well to solve security issues.

Let’s check the Support Portal to find Security Notes about the Web Dispatcher (status from 19.06.2017):

https://support.sap.com/notes → Expert search

a) Search by Application Component of the Web Dispatcher

Application Component (exact): BC-CST-WDP
Document Type: SAP Security Notes
-> 12 Documents found

b) Search by Application Component of the Internet Communication Manager (ICM)

Application Component (exact): BC-CST-IC
Document Type: SAP Security Notes
-> 32 Documents found

c) Search by Software Component of the Web Dispatcher

Software Component: WEBDISP
Document Type: SAP Security Notes
-> 6 Documents found

Combining all results you find 39 Security Notes.
Only few of them have assignments to

Software Component WEBDISP, or

Support Package Patches of type “SAP WEB DISPATCHER <release> <patch>

I would expect that only these notes could be found by System Recommendations.
And not all of these notes have assignments to both, the Software Component and the Patch, which would be required for System Recommendations to produce an exact result at least for the software level (System Recommendations cannot check the configuration anyway).

Therefore, my recommendation is the following:
Whenever you see a Security Note for any of your systems of type ABAP, Java or HANA which deals with the Web Dispatcher or the Internet Communication Manager (ICM), you should check if this note could be relevant for all your installations of the Web Dispatcher, too.

43. Special Components for System Recommendations

if a Software Component is not part of ABAP/JAVA/HANA systems in SLD/LMDB you do not find corresponding notes in System Recommendation.

In the meantime, some Software Components get special treatment to show up in System Recommendation for relevant systems:

BC-FES-GUI added to all ABAP systems as a virtual software component of type "Support Package Independent" as of May 2017 (see note 2458890)

CRYPTOLIB 8 SP000 added to ABAP and JAVA systems as a virtual software component version as of July 2017

SAPHOSTAGENT not covered yet