CVE-2017-16689 - OpenCVE

A Trusted RFC connection in SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SAP KERNEL 64NUC, SAP KERNEL 64Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL from 7.21 to 7.22, 7.45, 7.49, can be established to a different client or a different user on the same system, although no explicit Trusted/Trusting Relation to the same system has been defined.

No CVSS v3.1

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Access Vector Network

Access Complexity Low

Authentication Single

Confidentiality Impact Partial

Integrity Impact Partial

Availability Impact Partial

AV:N/AC:L/Au:S/C:P/I:P/A:P

Vendors & Products
CPE Configurations

Vendors	Products
Sap	Sap Kernel

Configuration 1 [-]

OR	cpe:2.3:a:sap:sap_kernel:7.21:::::::*
	cpe:2.3:a:sap:sap_kernel:7.21ext:::::::*
	cpe:2.3:a:sap:sap_kernel:7.22:::::::*
	cpe:2.3:a:sap:sap_kernel:7.22ext:::::::*
	cpe:2.3:a:sap:sap_kernel:7.45:::::::*
	cpe:2.3:a:sap:sap_kernel:7.49:::::::*

References

Link	Resource
http://www.securityfocus.com/bid/102144	Third Party Advisory VDB Entry
https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/	Issue Tracking Vendor Advisory
https://launchpad.support.sap.com/#/notes/2449757	Permissions Required Vendor Advisory

History

No history.

MITRE Information

Status: PUBLISHED

Assigner: sap

Published: 2017-12-12T00:00:00

Updated: 2017-12-13T10:57:01

Reserved: 2017-11-09T00:00:00

Link: CVE-2017-16689

JSON object: View

NVD Information

Status : Analyzed

Published: 2017-12-12T14:29:00.640

Modified: 2018-01-04T18:39:15.917

Link: CVE-2017-16689

JSON object: View

Redhat Information

No data.

CWE

CWE-287

{"containers": {"cna": {"affected": [{"product": "Trusted RFC connection", "vendor": "SAP", "versions": [{"status": "affected", "version": "SAP KERNEL 32NUC; SAP KERNEL 32Unicode; SAP KERNEL64NUC; SAP KERNEL64 Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL from 7.21 to 7.22, 7.45, 7.49"}]}], "datePublic": "2017-12-12T00:00:00", "descriptions": [{"lang": "en", "value": "A Trusted RFC connection in SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SAP KERNEL 64NUC, SAP KERNEL 64Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL from 7.21 to 7.22, 7.45, 7.49, can be established to a different client or a different user on the same system, although no explicit Trusted/Trusting Relation to the same system has been defined."}], "problemTypes": [{"descriptions": [{"description": "Additional authentication check in Trusted RFC on same system", "lang": "en", "type": "text"}]}], "providerMetadata": {"dateUpdated": "2017-12-13T10:57:01", "orgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "shortName": "sap"}, "references": [{"name": "102144", "tags": ["vdb-entry", "x_refsource_BID"], "url": "http://www.securityfocus.com/bid/102144"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"}, {"tags": ["x_refsource_CONFIRM"], "url": "https://launchpad.support.sap.com/#/notes/2449757"}], "x_legacyV4Record": {"CVE_data_meta": {"ASSIGNER": "cna@sap.com", "DATE_PUBLIC": "2017-12-12T00:00:00", "ID": "CVE-2017-16689", "STATE": "PUBLIC"}, "affects": {"vendor": {"vendor_data": [{"product": {"product_data": [{"product_name": "Trusted RFC connection", "version": {"version_data": [{"version_value": "SAP KERNEL 32NUC; SAP KERNEL 32Unicode; SAP KERNEL64NUC; SAP KERNEL64 Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL from 7.21 to 7.22, 7.45, 7.49"}]}}]}, "vendor_name": "SAP"}]}}, "data_format": "MITRE", "data_type": "CVE", "data_version": "4.0", "description": {"description_data": [{"lang": "eng", "value": "A Trusted RFC connection in SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SAP KERNEL 64NUC, SAP KERNEL 64Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL from 7.21 to 7.22, 7.45, 7.49, can be established to a different client or a different user on the same system, although no explicit Trusted/Trusting Relation to the same system has been defined."}]}, "problemtype": {"problemtype_data": [{"description": [{"lang": "eng", "value": "Additional authentication check in Trusted RFC on same system"}]}]}, "references": {"reference_data": [{"name": "102144", "refsource": "BID", "url": "http://www.securityfocus.com/bid/102144"}, {"name": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/", "refsource": "CONFIRM", "url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"}, {"name": "https://launchpad.support.sap.com/#/notes/2449757", "refsource": "CONFIRM", "url": "https://launchpad.support.sap.com/#/notes/2449757"}]}}}}, "cveMetadata": {"assignerOrgId": "e4686d1a-f260-4930-ac4c-2f5c992778dd", "assignerShortName": "sap", "cveId": "CVE-2017-16689", "datePublished": "2017-12-12T00:00:00", "dateReserved": "2017-11-09T00:00:00", "dateUpdated": "2017-12-13T10:57:01", "state": "PUBLISHED"}, "dataType": "CVE_RECORD", "dataVersion": "5.0"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:sap:sap_kernel:7.21:*:*:*:*:*:*:*", "matchCriteriaId": "B1DB2B37-EC52-4FE6-9861-A98A9E365B61", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:sap_kernel:7.21ext:*:*:*:*:*:*:*", "matchCriteriaId": "168D38D8-CE37-4FF4-B089-DCBB0D5A3387", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:sap_kernel:7.22:*:*:*:*:*:*:*", "matchCriteriaId": "80D1ECE8-0465-4B82-A0B7-BC55438FFC43", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:sap_kernel:7.22ext:*:*:*:*:*:*:*", "matchCriteriaId": "56247321-E033-4097-A176-BE71DEBD5920", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:sap_kernel:7.45:*:*:*:*:*:*:*", "matchCriteriaId": "517E04CB-B712-477E-8F64-B35F9D0D932B", "vulnerable": true}, {"criteria": "cpe:2.3:a:sap:sap_kernel:7.49:*:*:*:*:*:*:*", "matchCriteriaId": "018F8061-43B6-4F29-B914-C779569C58CD", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "descriptions": [{"lang": "en", "value": "A Trusted RFC connection in SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SAP KERNEL 64NUC, SAP KERNEL 64Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL from 7.21 to 7.22, 7.45, 7.49, can be established to a different client or a different user on the same system, although no explicit Trusted/Trusting Relation to the same system has been defined."}, {"lang": "es", "value": "Una conexi\u00f3n RFC fiable en SAP KERNEL 32NUC, SAP KERNEL 32Unicode, SAP KERNEL 64NUC, SAP KERNEL 64Unicode 7.21, 7.21EXT, 7.22, 7.22EXT; SAP KERNEL desde la versi\u00f3n 7.21 hasta la 7.22, 7.45, 7.49, puede establecerse para un cliente o usuario diferentes en el mismo sistema aunque no se haya definido una relaci\u00f3n Trusted/Trusting expl\u00edcita con el mismo sistema."}], "id": "CVE-2017-16689", "lastModified": "2018-01-04T18:39:15.917", "metrics": {"cvssMetricV2": [{"acInsufInfo": false, "baseSeverity": "MEDIUM", "cvssData": {"accessComplexity": "LOW", "accessVector": "NETWORK", "authentication": "SINGLE", "availabilityImpact": "PARTIAL", "baseScore": 6.5, "confidentialityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P", "version": "2.0"}, "exploitabilityScore": 8.0, "impactScore": 6.4, "obtainAllPrivilege": false, "obtainOtherPrivilege": false, "obtainUserPrivilege": false, "source": "nvd@nist.gov", "type": "Primary", "userInteractionRequired": false}], "cvssMetricV30": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 8.8, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "version": "3.0"}, "exploitabilityScore": 2.8, "impactScore": 5.9, "source": "nvd@nist.gov", "type": "Primary"}]}, "published": "2017-12-12T14:29:00.640", "references": [{"source": "cna@sap.com", "tags": ["Third Party Advisory", "VDB Entry"], "url": "http://www.securityfocus.com/bid/102144"}, {"source": "cna@sap.com", "tags": ["Issue Tracking", "Vendor Advisory"], "url": "https://blogs.sap.com/2017/12/12/sap-security-patch-day-december-2017/"}, {"source": "cna@sap.com", "tags": ["Permissions Required", "Vendor Advisory"], "url": "https://launchpad.support.sap.com/#/notes/2449757"}], "sourceIdentifier": "cna@sap.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-287"}], "source": "nvd@nist.gov", "type": "Primary"}]}