As an Basis peoples, Sometimes, we are not sure whether to Ignore/Implement SAP Notes especially when received for Vulnerability Fix/Hotnews/CVEs in Production projects.
Let's tick the below.
All SAP Notes Security Vulnerabilities fix should be implemented if Software Component - Affected version exist and prerequisites matched. This is to ensure and have latest vulnerability fix in the system.
⭐Above statement won't apply only for specific criterias mentioned below.
1) Language not installed - Example - Recently, We received multiple ERP HCM Payroll Vulnerability fix - which related to Portugese which is not installed. Customer won't use HCM Portugese component as well. Hence, It can be ignored.
2) GeoLocation Based - Statement will be highlighted explicitly - Example - Note relevant only for Brazil/German. Hence, It can be ignored.
3) Note component not exist - Affected Component/Prerequisite component not exist. Hence, It can be ignored.
4) Functional Usage not relevant - Example: Note comes for Master Data Governance fix, But MDG not used in our customer system. Hence, It can be Ignored.
5) Not compatible w.r.t Inbuilt functionalities- Example: Note valid only if Business functions in activated state, Specifc ODATA Services used, Mentioned Reports/Transactions used.
Note should be implemented in all other scenarios if received for the vulnerability fix.
Raise with SAP support as an exceptional case if you are not able to conclude on own.
Say - SAP Release Vulnerability/CVE fix or Functionality for all the versions of corresponding component except our version. Example - Note released for SAP Basis 758 SP1 - SP5, However, No CI exists for SP0. Usually, It would be applicable to SP0 as well 99% - SAP might have missed to add CI. In those kind of cases, Get confirmation from SAP.
Note 2220520 - How to confirm whether SAP Note is valid for system
Thanks for visiting !!!
No comments:
Post a Comment