SAP Management Console get user list
Description
The SAP Management Console (SAP MC) is a centralized administration interface that enables monitoring and management of SAP systems. A security vulnerability exists in the SAP Management Console SOAP Interface that allows unauthenticated remote attackers to invoke sensitive methods without authentication. Specifically, attackers can retrieve the user list from ABAP system logs, exposing internal user account information that should be restricted to authorized administrators only.
Remediation
Apply SAP Security Note 1439348 immediately to remediate this vulnerability. This security patch restricts access to sensitive SAP Management Console methods and enforces proper authentication controls on the SOAP Interface. Follow these steps:
1. Download SAP Security Note 1439348 from the SAP Support Portal (requires valid S-user credentials)
2. Review the note for specific affected versions and implementation instructions
3. Apply the security patch during a scheduled maintenance window following your organization's change management procedures
4. After applying the patch, verify that unauthenticated access to the GetUserList and similar sensitive methods is blocked
5. Review SAP Management Console access logs for any evidence of exploitation prior to patching
Additionally, restrict network access to the SAP Management Console SOAP Interface (typically port 5XX13 or 5XX14) using firewall rules to allow connections only from trusted administrative networks.