lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Message-ID: <5391DDE1.6040609@onapsis.com> Date: Fri, 06 Jun 2014 12:27:29 -0300 From: Onapsis Research Labs <research@...psis.com> To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>, pen-test@...urityfocus.com, security-basics@...urityfocus.com, info@...pasec.com, submissions@...ketstormsecurity.org Subject: [FD] [Onapsis Security Advisories] Multiple Hard-coded Usernames in SAP Components -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Onapsis Security Advisories:Multiple Hard-coded Usernames (CWE-798) have been found and patched in a variety of SAP components. Summaries of the advisories with links to full versions follow: 1. ONAPSIS-2014-011-SAP Project System Structures and Project-Oriented Procurement Hard-coded credentials ======================================================================= - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Affected Components: * Project System * Structures * Project-Oriented Procurement (Check SAP Note 1791081 for detailed information on affected releases) - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-011 2. ONAPSIS-2014-012-SAP Brazil Specific Add-On Hard-coded Credentials ===================================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.0 (AV:N/AC:L/AU:S/C:P/I:N/A:N) - -- Fix in SAP Note:1768049 - -- Affected Components: * Brazil Specific Add-On - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-012 3. ONAPSIS-2014-013-SAP OIL Industry Solution Traders and Schedulers Workbench Hard-coded Credentials ===================================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.6 (AV:N/AC:H/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1920323 - -- Affected Components: * SAP Oil Industry Solution Traders and Schedulers Workbench - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-013 4. ONAPSIS-2014-014-SAP Upgrade tools for ABAP Hard-coded credentials ===================================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:N/I:P/A:P) - -- Fix in SAP Note: 1915873 - -- Affected Components: * SAP Upgrade Tools - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-014 5. ONAPSIS-2014-015-SAP Web Services Tool Hard-coded Credentials ================================================================ - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 3.5 (AV:N/AC:M/AU:S/C:P/I:N/A:N) - -- Fix in SAP Note: 1914777 - -- Affected Components: * SAP Web Services Tool - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-015 6. ONAPSIS-2014-016-SAP CCMS Monitoring Hard-coded Credentials ============================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1911174 - -- Affected Components: * SAP CCMS Monitoring - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-016 7. ONAPSIS-2014-017-SAP Transaction Data Pool Hard-coded Credentials ==================================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1795463 - -- Affected Components: * SAP Transaction Data Pool - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-017 8. ONAPSIS-2014-018-SAP Capacity Leveling Hard-coded Credentials ================================================================ - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 6.0 (AV:N/AC:M/AU:S/C:P/I:P/A:P) - -- Fix in SAP Note: 1789569 - -- Affected Components: * SAP Capacity Leveling - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-018 9. ONAPSIS-2014-019-SAP Open Hub Service Hard-coded Credentials =============================================================== - -- Public Release Date: 2014-06-06 - -- Researcher: Sergio Abraham - -- Initial Base CVSS v2: 4.9 (AV:N/AC:M/AU:S/C:P/I:P/A:N) - -- Fix in SAP Note: 1738965 - -- Affected Components: * SAP Open Hub Service - -- Original Advisory: http://www.onapsis.com/resources/get.php?resid=adv_onapsis-2014-019 - -- Ezequiel Gutesman Director Of Research Onapsis -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Onapsis Research Team iEYEARECAAYFAlOR3d4ACgkQz3i6WNVBcDVZ/gCfVFecGvz69JcNRk7WnK/RZ0Gd sxgAn3MmMOBrquYu//VJdeUiP9SR/wWC =sxVQ -----END PGP SIGNATURE----- ------------------------------------------------------------------------ Securing Apache Web Server with thawte Digital Certificate In this guide we examine the importance of Apache-SSL and who needs an SSL certificate. We look at how SSL works, how it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1 ------------------------------------------------------------------------ _______________________________________________ Sent through the Full Disclosure mailing list http://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists