At first glance, a transport request that contains a logical object seems to be handled in the same way: in most cases, this will serve the purpose. You must enter the change itself in a transport request. The objects to be transported are contained in the transport requests and can be displayed by accessing the list of objects in the transport request. Although Workbench objects are uniquely identified by their type and name, it is much more difficult to identify the data transported in a Customizing object. Object customization can be transported both as individual tables and through generated maintenance objects. Maintenance objects are controlled by the SOBJ transaction and can have one of the following types: You can use the procedure described in the OSS note 853601 – “ALLOCATION: Disabling Automatic Transport” to leave all assignment tables unchanged and not have to apply the customization procedure or the current settings. A double-click on the data row provides information about the table to be transported with the transport request: some SAP standard tables are provided by SAP as customizing tables with transports, but are logical and business application tables and are managed by merchants directly in production. An example is the exchange rate table. The current settings have the following effects: if the system client is set to Productive in SCC4, the transport flags are ignored and the user can update the table directly and save the changes without a transport request pop-up. If you want a Customizing table without a transport request to be maintained directly on development and quality systems, you must de-identify the Customizing table. Malicious content and manipulation can only be detected if all three levels of the object list are checked.
Current settings are a hidden function in SAP systems. For each Customizing object, you can choose whether or not it uses the current setting option. Transport information for most object types is tracked in two different tables: this change must also be executed on the development system and placed in the transport request. Step 3 is to move the transport order to the quality system and subsequent production. While there have been no significant changes to this important core component in a decade, it has been expanded over the past 13 years to support the transport of non-ABAP (Enhanced CTS or CTS+) objects and the synchronization of dependent changes in different SAP environments (Central CTS or cCTS). Onapsis Research Labs reported this vulnerability to SAP in early 2018, and in May 2018, a patch with SAP Security Note #2671160 titled “Missing Input Validation in ABAP Change and Transport System (CTS)” was deployed. With this hotfix, SAP introduces a new TMS parameter called TLOGOCHECK. We strongly recommend that you apply the SAP kernel version that applies patches and configure the TLOGOCHECK setting to match the settings recommended in the SAP Security Advisory. The new kernel version allows the transport tool to verify the definition of a logical Customizing object for any manipulation by comparing the transported object with its definition in the target system. Step 2 would be to regenerate the maintenance view and disable the recording routine. This should look like the one shown in the screen below: To do this, start the SOBJ transaction and select the Customizing object or table.
The current parameter flag is specified in the following example illustration for the currency conversion rate table: A glance at the object list displays the maintenance view: To intercept the global information of a Customizing object, there are up to three levels of object list that must be archived in SAP Transport Organizer. Step 1 begins with the SE11 transaction to call the table. You need to document this in the development system. In the Delivery and Maintenance tab, delivery operations are usually displayed as Type C (Customizing). Because the displayed information is read dynamically and the manipulation has only been applied to the development system, you cannot see the entries injected into the transport request object list on another system in the SAP landscape. If the attacker removes the additional entry from the repository table on the development system, the input becomes invisible there too! With the exception of the Dummy object type (D), all types of maintenance objects consist of one or more tables, including logical transport objects (L), which can contain dozens of different tables. For example, the roles represented by the ACGR logical object contain data from 27 different ACGR* tables. In a development or quality system, the “Productive” parameter does not exist and the SAP system prompts you to enter the transport request. Especially with quality systems, this can be quite annoying. There is a big difference between logical Customizing (L) objects and other types of Customizing objects: when a logical Customizing object is tracked in a transport request, the information about the tables and keys assigned in table E071K (E071K_STR) is not tracked persistently. Some settings in RSA1, such as process chain starters that you want to set locally by system. By default, SAP asks you for a transport.
In RSA1, you can replace that. On the left, select Transport Connection. Then select the Object Switch button at the top. In the pop-up window, right-click Not Editable and set it to All Editable for items for which you do not want a transport pop-up. Some components of SAP have existed since the beginning of SAP R/3. One of these components is the sap Change and Transport System (CTS). Introduced with SAP Basis 3.1H, it replaced most of the manual tasks that previously had to be performed at the operating system level to move a transport request from system A to system B. Example: A developer regularly updates a monitoring solution with new customization information. To this end, it has created a maintenance view and since its monitoring tool is a non-critical read-only application, the data in its maintenance view goes through all quality controls for production without detailed analysis of record transport orders.
Knowing that this type of transport is not examined more closely by the QA team, the developer (or anyone else with access to the development system who knows it) could now change the definition of the maintenance view and replace the underlying table with a table containing critical data, e.B. USRBF2 table. This table contains authorization buffer data. Transporting it to production means transporting the authorizations assigned (and stamped) to the production during development so that they become temporarily active there! An attacker who has access to the development system can now easily manipulate the logical Object Definition table and add additional tables (what about salary data?) to define a role. It is even possible to add Workbench objects to this definition! See OSS 2442887 – | SOBJ To assign the Current Settings object attribute of a full statement to a maintenance object. I want to forward this request to the quality server, but the transport option displays “No transport”. In exceptional cases, when key fields contain long string values, the E071K_STR tables are also used to track table key information. After adding the malicious entries to the repository, it just has to wait for someone to export a role – without realizing that additional data is being exported! The Arate module of the Onapsis platform helps Onapsis clients to automatically check if the kernel version is fixed and if the TLOGOCHECK parameter is set correctly on all systems. The current settings are therefore only a solution for the tables that you and the company want to maintain directly in production and not in a development and quality system. I attached an object snapshot in the definition of a maintenance and transport object in SE01. If you check table E071K (or E071K_STR) for this request, the list will be empty! As can be seen in the screen header above, this is simply a key simulation that is displayed here. SAP dynamically reads the information from this screen from the Logical Object Definition table.
The same goes for the beginning of the export of this table – based on the dynamically retrieved information, the corresponding data is extracted from the development system. When you double-click the role, you will see the individual tables and keys that contain information about the role, so I need to change it to Automatic Transport to move it to Quality Server. .