Hotnews note 3145987

Unfortunately SAP had to release hotnews OSS note 3145987 – [CVE-2022-24396] Missing Authentication check in SAP Focused Run (Simple Diagnostics Agent 1.0). More background can be found in that note and in the Q&A note: 3148440 – Q&A for SAP Security Note 3145987.

What is the problem?

From the note “The Simple Diagnostics Agent 1.0 (up to version 1.57.*) does not perform any authentication checks for functionalities that can be accessed via localhost on http port 3005. Due to lack of authentication checks, an attacker could access administrative or other privileged functionalities and read, modify or delete sensitive information and configurations.”.

What to do to fix it?

The fix is two steps:

1. Update the host agent to version 7.22 PL55 or later as a prerequisite (see OSS note 3113553 – SAP Host Agent 7.22 PL55)

2. After step 1 update the SDA (simple diagnostics agent) to version 1.58.0 or later (see OSS note 3113553 – SAP Host Agent 7.22 PL55). You can do a mass deployment using the Agent Mass Update tile.

How to monitor the follow up?

Open the Self monitoring FIORI tile:

Click on the SDA icon on the left:

Check that all versions are ok:

Author: Frank Umans

Working in SAP since 1998. Started as ABAP developer and later moved to SAP basis and authorizations. Since 2020 working with SAP Focused Run.

Leave a Reply

Your email address will not be published.