The cause of the vulnerability is that the ABAP server does not make an unambiguous distinction between incoming RFC/HTTP requests from inside the system or from an external caller. This could be exploited by malicious users to obtain illegitimate access to the SAP ABAP system. There is no workaround except to strengthen network protection against external RFC and HTTP communication to SAP. However, SAP provides a software correction, which consists of:
- New kernel version for kernels 7.21, 721_EXT, 7.22, 7.22_EXT, 7.22_EX2, 7.49, 7.53, 7.77 and 7.81
- Correction to SAP_BASIS component to be implemented with Transaction SNOTE; applicable to all systems on SAP_BASIS 7.00 and higher
Considering the criticality of the problem our advice is to apply this correction as soon as possible, but still in an organized manner whereby you patch the non-production systems first. The scope of the SNOTE correction is small (changes just one class), so it may be feasible to move it to production relatively fast. With the kernel you need to be more careful and plan at least a minimum period during which the non-production systems operate on the new kernel version. You should also consult the specific kernel regression note (see SAP note 1802333 for general information about kernel regressions). For the kernel levels advised in note 3007182, the regression notes are listed in the table below.
The Expertum consultants are available to address your questions and to assist you with the solution.
