Search This Blog

Tuesday, August 23, 2011

SAP Note 1133739 - Security note: Security gap in Data Browser (SE16)


Symptom
Transaction SE16 is a universally applicable function to display any database contents in ABAP systems.
An authorization check against a table authorization group protects the access to this data using this function (authorization object S_TABU_DIS).

If you use transaction SE16 in a certain way, the system may fail to perform this authorization check.  This may allow unauthorized access to any sensitive or critical data.

The correction (Support Package or correction instructions) solves this problem.

Risk mitigation before the correction is effective:  Limit the access to transaction SE16 (authorization object S_TCODE).


We strongly recommend that customers limit the access to SE16 and implement the correction instruction as soon as possible.



Other terms
Data Browser, SE16


Solution
Use transaction SNOTE to implement the corrections.



Affected Releases
Software
Component
Release
From
Release
To
Release
And
subsequent
SAP_APPL
30
31I
31I
 
SAP_APPL
40
40B
40B
 
SAP_APPL
45
45B
45B
 
SAP_APPL
46
46B
46B
 
SAP_BASIS
46
46B
46D
 
SAP_BASIS
60
620
640
 
SAP_BASIS
70
700
700
 
SAP_BASIS
71
710
711
 


Visit https://service.sap.com/sap/support/notes/1133739 for Correction delivered in Support Package and Corrections Instructions

No comments:

Post a Comment