CVE-2017-16691

Name of the Vulnerable Software and Affected Versions SAP BASIS versions 7.00 through 7.02 SAP BASIS versions 7.10 through 7.11 SAP BASIS version 7.30 SAP BASIS version 7.31 SAP BASIS version 7.40 SAP BASIS versions 7.50 through 7.52

Description The issue concerns the SAP Note Assistant tool, which allows the upload of digitally signed note files of type 'SAR'. However, it is possible to append a tampered file to the SAR archive using the SAPCAR tool. During extraction, although the digital signature verification fails, the tampered file is still extracted.

Recommendations For SAP BASIS versions 7.00 through 7.02, consider restricting access to the SAP Note Assistant tool until a fix is available. For SAP BASIS versions 7.10 through 7.11, avoid using the SAPCAR tool to append files to the SAR archive until the issue is resolved. For SAP BASIS version 7.30, temporarily disable the upload of digitally signed note files of type 'SAR' to prevent potential exploitation. For SAP BASIS version 7.31, restrict the use of the SAP Note Assistant tool to minimize the risk of extracting tampered files. For SAP BASIS version 7.40, consider implementing additional verification measures for digitally signed note files. For SAP BASIS versions 7.50 through 7.52, as a temporary workaround, consider manually verifying the integrity of note files before extraction.