Usually, we will get vulnerability fixes for Commoncryptolib. Most of the basis peoples wondered whether we can upgrade SAP Common crypto library separately without touching Kernel of ABAP and HANA DB.
Here's the more insights below with one CVE Example.
Consider Note 3633049 - [CVE-2025-42940] SAP CommonCryptoLib vulnerability Memory Corruption vers 7
This vulnerability fix requires commoncryptolib update to 8.5.60 (or higher)
Since it's common one, it affects both ABAP and HANA DB.
V) For ABAP:
You can feel free to download and overwrite latest Common Crypto Library itself.
💫 It's downward Compatible.
You can feel free to download and overwrite latest Common Crypto Library itself.
💫 It's downward Compatible.
1) Note 2450794 - Updating CommonCryptoLib in a NetWeaver ABAP system vers7
Go to SAP Software center
Search - COMMONCRYPTOLIB
(Support Packages and Patches)
You can see latest packages available.
2) Note 2072638 - Dependencies between CommonCryptoLib and SAP Kernel Package vers8
⭐ For Kernel:
740, 741 and onwards
720 from Patch Level 600 on
721 from Patch Level 200 on
722 and onwards
CommonCryptoLib fixes can be patched independently from SAP Kernel Packages.
Usual Method:
Download and just overwrite in Global Sys or Sapmnt exe Kernel path directory.
/usr/sap/SID/SYS/exe/uc
which redirects to /sapmnt/SID/exe/uc - folder linux
In simple word, just do cdexe command in SIDADM user which usually routes to this path.
Once overwritten, Do a complete SAP System restart in which all files (including latest CCL) will be copied from this sapmnt/sys path to all primary and secondary application servers kernel exe path (say /usr/sap/SID/DXX/exe) with the help of SAPCPE program in backend.
This will be the usual method in which all files will be moved to corresponding app server kernel directory irrespective of app server count from Main Sys Kernel files.
Now, Even if you face some issues - say it didn't overwrite/moved to one app server, Just overwrite CCL files manually in the server as like you did for Sapmnt/sys path - Say /usr/sap/SID/DXX/exe
Additional info:
Just FYI (Don't consider) - You can also copy manually via Sapcpe command - sapcpe pf=/usr/sap/SID/SYS/Profile/InstanceProfile
However, SAP always recommend restart for smooth process in which sapcpe program will be done by default during restart - SAP Kernel procedure.
VV) For HANA:
Note 3683427 - SAP HANA Service Crash on Crypto::RootKeyManagerSsfs::getKeyDocForEncryption vers5
✨Don't manually upgrade CCL for HANA DB. CCL must be upgraded only in conjunction with SAP HANA database revision upgrade.
To fix/Overcome Vulnerability,
Apply SAP HANA 2:
Revisions >= 059.19 (SPS05)
Revisions >= 079.06 (SPS07)
Revisions >= 087.00 (SPS08)
For testing purposes, I have tried to update CCL in HANA DB and resulted in Service crash stack as expected. Hence, it's not an myth.
VV) For HANA:
Note 3683427 - SAP HANA Service Crash on Crypto::RootKeyManagerSsfs::getKeyDocForEncryption vers5
✨Don't manually upgrade CCL for HANA DB. CCL must be upgraded only in conjunction with SAP HANA database revision upgrade.
To fix/Overcome Vulnerability,
Apply SAP HANA 2:
Revisions >= 059.19 (SPS05)
Revisions >= 079.06 (SPS07)
Revisions >= 087.00 (SPS08)
For testing purposes, I have tried to update CCL in HANA DB and resulted in Service crash stack as expected. Hence, it's not an myth.
VVV) How to identify which common crypto lib version exists on HANA DB?
We will always have Fixes and Features note for each CommonCryptoLib version.
Just check corresponding HANA DB version. We will get relevant Revision details.
You can also see that it's matches with our CVE fix as well
Hope you like this scenario !
Use - Google Search Side bar to visit notes
Paste note number to directly login portal
Search with words for google search
Thanks for visiting !!!
No comments:
Post a Comment