community.sap.com
Open in
urlscan Pro
54.192.51.105
Public Scan
Submitted URL: https://protect-us.mimecast.com/s/hH3HCNkjKyuNqlwwhljl599
Effective URL: https://community.sap.com/t5/technology-blogs-by-sap/unveiling-critical-security-updates-sap-btp-security-note-3411067/ba-...
Submission: On February 21 via api from US — Scanned from US
Effective URL: https://community.sap.com/t5/technology-blogs-by-sap/unveiling-critical-security-updates-sap-btp-security-note-3411067/ba-...
Submission: On February 21 via api from US — Scanned from US
Form analysis 1 forms found in the DOM
Name: form — POST https://community.sap.com/t5/blogs/v2/blogarticlepage.searchformv32.form.form
<form enctype="multipart/form-data" class="lia-form lia-form-inline SearchForm" action="https://community.sap.com/t5/blogs/v2/blogarticlepage.searchformv32.form.form" method="post" id="form" name="form">
<div class="t-invisible"><input value="blog-id/technology-blog-sap/article-id/167246" name="t:ac" type="hidden"><input value="search/contributions/page" name="t:cp" type="hidden"><input
value="BVHoYqFQMavBryzXuiDvvdeKD5nmyMZWXxMoEw0tYvs0mGg0KeMCnComwYDtySiTJmuZkADVowUIzuP-P7p01nmdabTm1ZUBCMe1XpDkfDAJ_2rciCJKmPiNTQbD6PIRt7QWNqntoVXLUIraXPRqCD-_zRanxG4HbPR1nvtSsafNavmeU7ZbgZSwgMw7d6TA0Rw4bbVlwQDebIsVVNp5ZtZX5z4CHEAAv3uFeVMnMFxVCCWHyHXLAwNhic9g7cViNNc1wOZ6-L9F87-mHuSjrBJL7cwL-qhhKNC-cN4RNyfuUvjjMgK6jQ7veqlSI0EjfRB8ZWtW6Oj3ts_fij2Acu21LsGvttwUGo_FbtSElV2cYiePOG_v-s2Fpj4_Mnpipn3sd7fRjD6jOD0d5WWxL-rZg_VYF4TC2TsnXvSCQIxbFQd9ico2N7yzNHr-sQCoUfYhvgxXLFfnqNOEh29Ceb-Bngy6m1yhxNV2Gd9dQfKDOqcLCmPu_3ataXphOltWtiglAGPVmpaHiRI9twYpkAmZMUBtX_EEIvhdCxalvmjVPlEWTzSLAwWfZQpfrn7zSjiMefE_QjR51sgp1AzZU6B1KyaX5c6LMIrcmJ_JETXErFUZOPVmoRZkKB46x3nFQFGiyFMYS36_GGxm8DX-uKrLx_6idFJxFMQmgMUmlz5pAMgEnL3xA6THnmhjxMfP2rdr1xZ_DtyQJ4NlyS6FsvgUiQp50buO9ZngYYeHpo-VBE27aSmAjmRG-H7mQ-qD4LZr_TmA87co987UaTVnjM-hRpczt4UiUuNoxXNYRNOoMmC3iQTq_kpnnCPFz4w_AGBV0R82w2LEEPozlyLWM6sfmgsqYkkQdQg12H89lvmAYSq2fp-JVF347FNAojYeJv50wMDp1Gq0e-IzkD8XBw5KQRzTJ53Mv3XsbLLiV4iKSkKtmma14s82w14Cmd0TKMjaBSX6QQ1xb6G_aIXMbmdb0gX1ugOWuMemGYToW5pTObbri2W9pg0KAdRqKVr_IrVTSqaEFHWwcHMzRRfy9zhgTZr8igdtPM8WE1Q2xBiDIU3mLPEx5JFRUYEEYIF7zVXxTkeaQZfC9BESZrptDkWtnmsIt2y7oMNooKWaUzjvhq8c0lV79lQoBSxXoewp-ZP2ck4RpkHIeYQfe8GGo3kNIkUI2ytOr7v8EmpHCZF3_MiGXkDJupKteLa_tsRXNgppXtIk_I_DaOwN1Q8lC8cagunJSX-FrBWeQohWD9Y."
name="lia-form-context" type="hidden"><input value="BlogArticlePage:blog-id/technology-blog-sap/article-id/167246:searchformv32.form:" name="liaFormContentKey" type="hidden"><input
value="5DI9GWMef1Esyz275vuiiOExwpQ=:H4sIAAAAAAAAALVSTU7CQBR+krAixkj0BrptjcpCMSbERGKCSmxcm+kwlGrbqTOvFDYexRMYL8HCnXfwAG5dubDtFKxgYgu4mrzvm3w/M+/pHcphHQ4kI4L2dMo9FLYZoM09qbeJxQ4V0+XC7e/tamqyBPEChwgbh1JAjQtLIz6hPaYh8ZlEMaxplAvm2KZmEsm0hhmBhOKpzZzOlsEw8LevR5W3zZfPEqy0oJIYc+eCuAyh2rolfaI7xLN0I8rjWfWBj7CuzJvf5osmbxRN3hacMimNwHRtKSOr0XNnv/vx+FoCGPjhMRzljhNLYHrEt9kA5T08ACCsKvREoYuqxqLl8BLO84q4UcMITcG49y/QOGs1pYyESl5p6V6qwRW086rinVmoxMZsiZud/zBUTc6gmVc4kExkJafmcYG1GM9+wfIsCkf2OP54hal5EjnG54z8h0XhjfcF7wQUs5Kz0GTjU2rOjc/llTT4Au07pDOcBQAA"
name="t:formdata" type="hidden"></div>
<div class="lia-inline-ajax-feedback">
<div class="AjaxFeedback" id="feedback"></div>
</div>
<input value="FNtSoWAwH3Jo5c9-xsK6APDssPfvIOY7bFqDXgc5scU." name="lia-action-token" type="hidden">
<input value="form" id="form_UIDform" name="form_UID" type="hidden">
<input value="" id="form_instance_keyform" name="form_instance_key" type="hidden">
<span class="lia-search-granularity-wrapper">
<select title="Search Granularity" class="lia-search-form-granularity search-granularity" aria-label="Search Granularity" id="searchGranularity" name="searchGranularity">
<option title="All community" selected="selected" value="khhcw49343|community">All community</option>
<option title="This category" value="technology|category">This category</option>
<option title="Blog" value="technology-blog-sap|blog-board">Blog</option>
<option title="Knowledge base" value="tkb|tkb">Knowledge base</option>
<option title="Users" value="user|user">Users</option>
<option title="Managed tags" value="product|product">Managed tags</option>
</select>
</span>
<span class="lia-search-input-wrapper">
<span class="lia-search-input-field">
<span class="lia-button-wrapper lia-button-wrapper-secondary lia-button-wrapper-searchForm-action"><input value="searchForm" name="submitContextX" type="hidden"><input class="lia-button lia-button-secondary lia-button-searchForm-action"
value="Search" id="submitContext" name="submitContext" type="submit"></span>
<span class="lia-hidden-aria-visibile" id="autocompleteInstructionsText" role="alert"></span><input placeholder="What are you looking for today?" aria-label="Search" title="Search"
class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-message" value="" id="messageSearchField_0" name="messageSearchField" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="tos33o1HZ3UFNLVgpryWaOTQZppuBfPu5bvqAlg_q18." rel="nofollow" id="disableAutoComplete_842c8fdbfdf3d" href="https://community.sap.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/technology-blog-sap/article-id/167246&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<span class="lia-hidden-aria-visibile" id="autocompleteInstructionsText_0" role="alert"></span><input placeholder="What are you looking for today?" aria-label="Search" title="Search"
class="lia-form-type-text lia-autocomplete-input search-input lia-search-input-tkb-article lia-js-hidden" value="" id="messageSearchField_1" name="messageSearchField_0" type="text" aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="zwXB2uZmiXdP4D_lUZ2W5vGG0cUlKF3PjaRU9XvqCV8." rel="nofollow" id="disableAutoComplete_842c8fe19250a" href="https://community.sap.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/technology-blog-sap/article-id/167246&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<span class="lia-hidden-aria-visibile" id="autocompleteInstructionsText_1" role="alert"></span><input placeholder="Enter a keyword to search within the users" ng-non-bindable="" title="Enter a user name or rank"
class="lia-form-type-text UserSearchField lia-search-input-user search-input lia-js-hidden lia-autocomplete-input" aria-label="Enter a user name or rank" value="" id="userSearchField" name="userSearchField" type="text"
aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a user name or rank</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="wA1zs1ijeB9Trd58UE5Rzqgpbk__OYlbmQJGm9Xxkq0." rel="nofollow" id="disableAutoComplete_842c8fe3a7c8b" href="https://community.sap.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/technology-blog-sap/article-id/167246&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<span class="lia-hidden-aria-visibile" id="autocompleteInstructionsText_2" role="alert"></span><input placeholder="Enter a keyword to search within the private messages" title="Enter a search word"
class="lia-form-type-text NoteSearchField lia-search-input-note search-input lia-js-hidden lia-autocomplete-input" aria-label="Enter a search word" value="" id="noteSearchField_0" name="noteSearchField" type="text" aria-autocomplete="both"
autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="dv8ZTMhZjm7EFvAXVIfBeSvazWvC8EuF-j7qcVwY-IQ." rel="nofollow" id="disableAutoComplete_842c8fe5bfd3d" href="https://community.sap.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/technology-blog-sap/article-id/167246&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<span class="lia-hidden-aria-visibile" id="autocompleteInstructionsText_3" role="alert"></span><input title="Enter a search word"
class="lia-form-type-text ProductSearchField lia-search-input-product search-input lia-js-hidden lia-autocomplete-input" aria-label="Enter a search word" value="" id="productSearchField" name="productSearchField" type="text"
aria-autocomplete="both" autocomplete="off">
<div class="lia-autocomplete-container" style="display: none; position: absolute;">
<div class="lia-autocomplete-header">Enter a search word</div>
<div class="lia-autocomplete-content">
<ul></ul>
</div>
<div class="lia-autocomplete-footer">
<a class="lia-link-navigation lia-autocomplete-toggle-off lia-link-ticket-post-action lia-component-search-action-disable-auto-complete" data-lia-action-token="FibEANBXxrqyqpWJhbGxDm_XDNdjyhg0P-qJfiRapZ4." rel="nofollow" id="disableAutoComplete_842c8fe7b4bc9" href="https://community.sap.com/t5/blogs/v2/blogarticlepage.disableautocomplete:disableautocomplete?t:ac=blog-id/technology-blog-sap/article-id/167246&t:cp=action/contributions/searchactions">Turn off suggestions</a>
</div>
</div>
<input class="lia-as-search-action-id" name="as-search-action-id" type="hidden">
</span>
</span>
<span class="lia-cancel-search">cancel</span>
</form>Text Content
* SAP Community
*
* Products and Technology
*
* Technology
*
* Technology Blogs by SAP
*
* Unveiling Critical Security Updates: SAP BTP Secur...
Technology Blogs by SAP
Learn how to extend and personalize SAP applications. Follow the SAP technology
blog for insights into SAP BTP, ABAP, SAP Analytics Cloud, SAP HANA, and more.
All communityThis categoryBlogKnowledge baseUsersManaged tags
Enter a search word
Turn off suggestions
Enter a search word
Turn off suggestions
Enter a user name or rank
Turn off suggestions
Enter a search word
Turn off suggestions
Enter a search word
Turn off suggestions
cancel
Turn on suggestions
Showing results for
Search instead for
Did you mean:
UNVEILING CRITICAL SECURITY UPDATES: SAP BTP SECURITY NOTE 3411067
JürgenAdolf
Advisor
Options
* Subscribe to RSS Feed
*
* Mark as New
* Mark as Read
*
* Bookmark
* Subscribe
*
* Printer Friendly Page
* Report Inappropriate Content
12-12-2023 7:02 AM
24 Kudos
In our ongoing commitment to maintaining a robust and secure SAP Business
Technology Platform (BTP) environment, we want to bring your attention to an
important security note that has recently been released. While we understand the
significance of transparency, we'll refrain from explicitly detailing the nature
of the issue to prevent any potential exploitation. Instead, we encourage all
BTP users to carefully review this security note and take necessary actions
promptly.
Security Note 3411067
This security note addresses a critical privilege escalation issue within SAP
BTP Security Services Integration Libraries. The note outlines the symptoms,
prerequisites, and reasons behind the identified concern, providing a
comprehensive understanding of the potential risks involved.
Action Steps: To safeguard your SAP BTP environment, we strongly urge all users
to:
1. Check the Security Note: Navigate to SAP's official support portal and
review Security Note 3411067 for detailed information.
1. Validate Prerequisites: Ensure your system aligns with the noted
prerequisites to accurately assess the relevance of this security update to
your setup.
1. Implement the Solution: Follow the provided solution outlined in the
security note to address the identified issue and fortify your system
against potential threats.
Additional Details: For those seeking a deeper understanding, Security Note
3411067 includes further details that shed light on the intricacies of the
issue, allowing users to enhance their comprehension and implementation of the
provided solution.
Update: We provide our customers with a seamless and efficient way to assess
their systems. To empower you to take control of your security, we have
published a bash script that allows you to execute the scan on your own,
eliminating the need to request scan results from SAP.
How to Execute the Scan: To access the bash script and run the scan
independently, please refer to SAP Note 3411661. The script is conveniently
attached to this note, providing a straightforward solution to help you
determine whether your system is affected.
Conclusion: Security is a shared responsibility, and proactive measures are
crucial to maintaining the integrity of our SAP BTP environments. By staying
informed and promptly addressing security notes such as 3411067, we collectively
contribute to a safer and more secure digital landscape.
We appreciate your diligence in reviewing and addressing this security note
promptly. As always, your commitment to maintaining a secure SAP BTP environment
is paramount. Stay secure, stay informed!
* SAP Managed Tags:
* SAP BTP Security,
* SAP BTP, Cloud Foundry runtime and environment,
* Security
* SAP BTP Security
Software Product Function
* SAP BTP, Cloud Foundry runtime and environment
SAP Business Technology Platform
* Security
Topic
View products (3)
Labels:
* Product Updates
* application router
* Deploy with confidence - Jupiter
* SAP Cloud Application Programming Model
* sap cloud sdk for java
* SAP Java Buildpack
31 Comments
dyaryura
Active Participant
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-12-2023 12:05 PM
4 Kudos
Hi Juergen
What should be the normal channel for customers to get notified about these kind
of notes? Since this is BTP specific I'm wondering if it'll show up in Solman
SysRec or if it'd be included as part of the monthly webinars led by Frank
(https://support.sap.com/en/offerings-programs/support-services/security-optimization-services-portfolio.html).
Just wondering if you're planning a separate process to notify about these
specific BTP notes.
Thanks!
JürgenAdolf
Advisor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-12-2023 3:44 PM
2 Kudos
Hi Yaryura,,
Thank you for your inquiry and your interest in staying informed about critical
updates in our SAP Business Technology Platform (BTP). You may register for SAP
HotNews in SAP for Me via the Trust Center: https://me.sap.com/app/hotnews.
Your commitment to staying informed aligns with our shared goal of ensuring the
security and integrity of SAP BTP. We value your feedback and collaboration in
creating a secure and robust BTP environment.
Thank you for your understanding and ongoing partnership.
Best regards,
Juergen
LutzR
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-13-2023 9:17 AM
3 Kudos
Hi juergen.adolf ,
please be more specific in how to configuring this correctly. I am receiving
HotNews alerts regularly for lots of components. But yesterday it was only for
the IS-OIL note - not for BTP. Are there some prerequisites like matching
customer numbers for S-User and Global Account or something?
<edit> I created case 128992/2023 on XX-SER-FORME for this </edit>
I would very much recommend SAP to make use of other communication channels too,
e.g. the channels that are commonly used to alert administrators about necessary
maintenance activity (DB-Update, Java runtime update) etc.)
BR, Lutz
Frank_Buchholz
Advisor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-13-2023 11:20 AM
3 Kudos
Hi Diego,
yes, I'll talk about this note in the monthly Security Notes Webinar (13.12.2023
ASUG / 14.12.2023 Enterprise Support and DSAG) and will tell something like
this:
If you just use BTP services (as in SAAS scenarios) but not develop own
applications based on these Open Source libraries (especially about the XSUAA)
then you are not affected - Any required update on standard BTP services is
already done by SAP.
Now, let's assume that some own applications are developed on BTP by your
organization.
I believe, the normal channel for security reports on Open Source libraries
(like these ones) for custom development are the corresponding CVEs - you should
have some processes to find and update Open Source libraries based on CVE
reports in any case. For this type of software, the SAP note comes on top of it.
Neither application System Recommendations in the SAP Solution Manager (which is
strong for ABAP, Kernel, Java and HANA), the similar function in SAP Focused Run
or the new Recommended Notes in the Maintenance Planner on the SAP Support
Portal can support you about this note: The note is classified as "This document
is not restricted to any software component" which means that there is no data
to check anything using these tools. I'm not aware of any plans to extend these
tools.
Thus said, you have to figure out by yourself if some custom development might
use the affected libraries: Ask the developers in your team who maintain the
code. They can check the library usages and version in dependency files like
(pom.xmls, package.jsons, build.gradle, ...).
Greetings,
Frank Buchholz
CoE Security Services
Cocquerel
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-13-2023 12:49 PM
1 Kudo
Is there a way (example using CF command line tool) to check which "@sap/xssec"
version is using a deployed Node.js App ?
vobu
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-13-2023 2:56 PM
8 Kudos
Hi, first of all thanks for the detailed info on the potential privilege
escalation vulnerability.
But if I'm not mistaken, only one of the three affected Node.js libraries is
Open Source* - all others are Source Open, as in available on npm, but neither
with a public source code repo, nor with an associated Open Source license.
In fact it stands to argue that if they were Open Source, the vulnerabilities
might have been discovered sooner (b/c more eyes to the cause) and fixed quicker
(b/c more hands to the rescue).
Just my .02€, Volker
*
- https://www.npmjs.com/package/@sap/xssec (not OS)
- https://www.npmjs.com/package/@sap/approuter (not OS)
- https://github.com/SAP/cloud-sdk-js (OS)
MultivacTest123
Explorer
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-14-2023 7:33 AM
0 Kudos
Hello Frank,
thanks for your inside and Information about this Note. What do we understand as
own developed Application? We use the integration Suite solely so far, and the
only "own" Applications there are, are the iFlows. Those iFlows are mainly build
with the SAP given Adapters, i guess those iFlows i can ignore? Some of them
have own written groovy scripts with libraries, do i need to check every iFlow
with a groovy script then?
Thanks in advance for an answer and have a good day.
Best Regards,
Randy
juan_jose_cruz
Member
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-14-2023 8:18 AM
0 Kudos
Hi juergen.adolf,
¿Is sap_java_buildpack_1_81 already released for cflinuxfs4?
Thanks in advance.
JürgenAdolf
Advisor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-14-2023 8:20 AM
1 Kudo
Hello Randy,
on SAP side all libraries are upated and fine. In a SaaS Scenario you are save.
Best,
Jürgen
nothafts
Explorer
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-14-2023 9:39 AM
1 Kudo
Hello, would it be possible, that such vulnerabilities coud be discovered with
npm audit? Thank you.
sgonzmot
Participant
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-14-2023 10:43 AM
2 Kudos
Hi mickael.cocquerel
Ideally, security should be implemented in the git repositories and added to the
deployment pipelines themselves (DevSecOps). However, if you want to see
something directly in the deployed container (unless there is another method), I
would advise enabling SSH in the space/app. This approach allows you to extract
the direct value from the module by executing cat + jq.
For example, you can use the following command:
cf ssh <app-name> -c 'cat app/package.json' | jq '.dependencies["@sap/xssec"]'
After extracting the information, don't forget to disable remote access.
I hope I have helped you!
Greetings!
LutzR
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-14-2023 4:00 PM
0 Kudos
Hi juergen.adolf and others @ SAP:
please publish the FAQ-note 3411661. We are waiting for it since the update of
the main note (more than 24 hours now.) We permanently get "SAP Note/KBA 3411661
is being updated".
We are waisting time with checking that note's status.
Thank you!
Cocquerel
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-14-2023 4:25 PM
0 Kudos
My understanding is that the package.json is only considered at mtar build time.
I mean, even if it says to take the last "^3" version of "@sap/xssec", if the
build was done before the 25th of November when the version 3.6.0 containing the
fix was available, it's not good. Is there a way using ssh to check which
version is really deployed?
sgonzmot
Participant
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-14-2023 4:57 PM
0 Kudos
Hi mickael.cocquerel
Unless I'm very much mistaken, the package.json file is the metadata of the
application and it's vital within the deployment cycle and startup of the
application in Cloud Foundry.
This file is responsible for providing a startup script (by default it's
'start') and installing direct and indirect dependencies (this last point is
important, as packages that contain @sap/xssec as an indirect dependency are
also affected, this can be seen in the package-lock.json).
Through SSH, we can check the package.json that was used to 'boot' the
application and therefore the dependencies that have been installed.
I hope I have helped you!
JoeGoerlich
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-15-2023 7:36 AM
1 Kudo
Hello Michael,
before running in the same situation as we had with Log4Shell, I recommend to
better start right up building an SBOM. At best, this should be considered when
they start developing the first custom applications in SAP BTP. This will help
to identify which apps use which libraries and increase the speed when CVEs are
issued for those.
For sure, a manual scan for the versions will help to identify progress and
left-overs, but its time consuming.
BR,
Joe
JürgenAdolf
Advisor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-15-2023 7:41 AM
1 Kudo
Hello,
there was technical problem with the note. It should be available again.
We are sorry for the inconvenience.
KimmoD
Explorer
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-15-2023 8:33 AM
5 Kudos
Another option that can be used is to check the installed version directly from
installed packages:
cf ssh APP_NAME -c "cat /home/vcap/app/node_modules/@sap/xssec/package.json | grep '\"version\":'"
"version": "3.2.12",
Kudos to showkath.naseem :
https://blogs.sap.com/2023/12/14/sap-btp-security-alert-%F0%9F%9A%A8-protecting-your-custom-applicat...
And if you have the code locally and need to find out where the old version of
the package originates (and you have a more complex app with more than just the
approuter, there are 61 dependent packages listed on npm)
npm ls @sap/xssec
This should print the npm dependency tree like this:
└─┬ ui5-middleware-cfdestination@0.6.0
└─┬ @sap/approuter@10.15.4
├─┬ @sap/audit-logging@5.8.2
│ └── @sap/xssec@3.6.0
└── @sap/xssec@3.6.0
JürgenAdolf
Advisor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-15-2023 11:59 AM
0 Kudos
Yes
JürgenAdolf
Advisor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-15-2023 12:01 PM
0 Kudos
No, it is currently not possible. CVE import in npm audit is yet missing.
showkath_naseem
Product and Topic Expert
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-15-2023 12:25 PM
1 Kudo
Thank you so much for your kind words! I am pleased to hear that my blog post
helped you and others.
gregorw
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-15-2023 3:59 PM
0 Kudos
Hi Jürgen,
is there a roadmap for CVE import in npm audit?
Best Regards
Gregor
Cocquerel
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-15-2023 5:00 PM
0 Kudos
Thanks kdragon . that is exactly what I was looking for.
santiago_gonzalez_mota5 I have tried to just restart the app and as you can see
in screenshot, it remains 3.3.5
So, my understanding is that the build of the mtar has to be done again to get
the 3.6.0 version and then, the new mtar should be deployed.
JürgenAdolf
Advisor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-18-2023 7:43 AM
0 Kudos
Hi Gregor,
we have no influence on it, as npm audit is not from SAP.
https://docs.npmjs.com/about-npm
Best,
Jürgen
gregorw
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-18-2023 8:08 AM
0 Kudos
Hi Jürgen,
I think the colleagues from SAP Cloud SDK as for their package some entries
exist in GitHub Advisory Database: ecosystem:npm sap that seems to be the basis
for npm audit.
Best Regards
Gregor
Bodriki
Explorer
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-18-2023 9:13 AM
0 Kudos
This post here was done on December the 12th.
The hotnews was
3411067 - [MEHRERE CVES] RECHTEAUSWEITUNG IN SAP BUSINESS TECHNOLOGY PLATFORM
(BTP) SECURITY SERVICES INTEGRATION LIBRARIES
SAP-Sicherheitshinweis, Version: 6, Freigegeben am: 13.12.2023
LutzR
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-18-2023 10:19 AM
0 Kudos
Hi. Nope. The note was first released on December 12. On 13th it was just
updated.
I did not receive notifications for both releases (others did). There is some
bug.
BR, Lutz
LutzR
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-18-2023 2:43 PM
1 Kudo
Hi juergen.adolf ,
<EDIT> The error was on our side. The Security Contacts did receive the e-mail.
Sorry. </EDIT>
some people received e-mails from SAP, inviting them to get their BTP
environments scanned. I was one of the lucky ones to receive this e-mail. Thank
you!
But I was the only one in our organization to receive this and we would like to
know how to get other people of our organization registered to that distribution
list, just for redundancy e.g. during holiday season.
We know that the distribution list was not the "Security Contact". He did not
receive this. I am not aware to be specifically registered for anything. Can you
make transparent on how to get on this kind of distribution list for the future?
Thank you!
Lutz
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-20-2023 1:11 PM
1 Kudo
Hi juergen.adolf ,
SAP note 3411067 mentions to update the libraries to latest versions for only 3
affected libraries.
https://www.npmjs.com/package/@sap/xssec
https://www.npmjs.com/package/@sap/approuter
https://github.com/SAP/cloud-sdk-js
What about the libraries dependent on these affected libraries?
We use many other libraries which internally uses @sap/xssec and I assume we
would have to update those libraries as well.
If we do not update these dependent libraries, those are still fetching the
older versions of @sap/xssec library upon deployments.
Below are the examples which we widely use..
https://www.npmjs.com/package/@sap/async-xsjs
https://www.npmjs.com/package/@sap/html5-app-deployer
https://www.npmjs.com/package/@sap/audit-logging
Thanks,
Suchen
gregorw
Active Contributor
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-20-2023 8:19 PM
0 Kudos
As long as the dependency is defined as:
"@sap/xssec": "^3.6.0",
it will automatically use any version equal to 3.6.0 or higher in the same major
version 3.
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
12-21-2023 8:34 AM
2 Kudos
Thanks Gregor for your response.
We don't have dependency in our package.json for @sap/xssec library.
But we have @sap/async-xsjs, @sap/audit-logging ... if we don't update the
versions of these libraries, we noticed these are downloading the older versions
of @sap/xssec as "npm install" downloads the whole tree of all dependent
libraries..
My question was to know whether we need to update the libraries of
@sap/async-xsjs, @sap/audit-logging .. ? or can we ignore as the SAP note says
only to update the affected.. @sap/xssec, approuter, cloud-sdk..
Thanks in advance.
VitorBrevilieri
Explorer
* Mark as Read
* Mark as New
*
* Bookmark
*
* Permalink
* Print
*
* Report Inappropriate Content
01-03-2024 8:58 PM
1 Kudo
Same doubt. Any updates? Thanks
You must be a registered user to add a comment. If you've already registered,
sign in. Otherwise, register and sign in.
* Comment
Labels in this area
* ABAP CDS Views - CDC (Change Data Capture) 2
* Analyze Workload Data 1
* Business application stu 1
* Business Technology Platform 1
* Business Trends 1,661
* Business Trends 31
* Confluent 1
* Customer Data Browser app 1
* Data Analysis Tool 1
* data migration 1
* data transfer 1
* datasphere 1
* Event Information 1,400
* Event Information 19
* Expert 1
* Expert Insights 178
* Expert Insights 104
* General 1
* Kafka 1
* Life at SAP 785
* Life at SAP 4
* Migrate your Data App 1
* Network Performance Analysis 1
* Product Updates 4,582
* Product Updates 151
* Replication Flow 1
* sap datasphere 2
* SAP S4HANA Cloud 1
* SAP S4HANA Migration Cockpit 1
* Technology Updates 6,888
* Technology Updates 158
* Workload Fluctuations 1
Related Content
* Automating SAP Logon Password Reset with Power Automate in Technology Blogs
by Members an hour ago
* Configure and Run - Business process connector for SAP Signavio Solutions in
Technology Blogs by Members an hour ago
* AI Business Agents and the Evolution of Business Automation: Join the
Innovation Journey in Technology Blogs by SAP an hour ago
* Build an Azure Data Factory Pipeline with the ODBC Driver for ABAP in
Technology Blogs by SAP 3 hours ago
* SAP Datasphere with Confluent --> Part 2 in Technology Blogs by SAP 4 hours
ago
Popular Blog Posts
GET YOUR SAP HANA IDEA INCUBATOR BADGE TODAY!
by Former Member •
* 28688 Views
* 252 comments
* 1280 kudos
06-18-2015
SCN MISSION - SAP HANA QUIZ CHALLENGE IS NOW RETIRED
by ThomasJenewein • Product and Topic Expert
* 30598 Views
* 202 comments
* 804 kudos
12-09-2014
SHARE YOUR #HANASTORY AND WIN
by christine_donato • Active Participant
* 16161 Views
* 60 comments
* 451 kudos
01-15-2016
Top kudoed authors
User Count
ch_salwitzek
14
Frank-Martin
14
thomas_volmering
12
Matthew_Shaw
11
andreas_roth
9
andrefischer
9
lalitmohan
8
henri_hosang
8
mert_oezkan
8
christoph_pohl
7
View all
This site uses cookies and related technologies, as described in our privacy
statement, for purposes that may include site operation, analytics, enhanced
user experience, or advertising. You may choose to manage your own preferences.
Understood More Information
Cookie Statement | Powered by:
Auto-suggest helps you quickly narrow down your search results by suggesting
possible matches as you type.