SAP Knowledge Base Article - Preview

3222245 - BI Scans showing Hard coded passwords vulnerability

Symptom

When using the latest versions of SAP BI Platform,

  • Your vulnerability scans may show the below 3 files with dummy passwords, default passwords and passphrase within SAP BusinessObjects code that could be marked as vulnerable for use.
  • Need confirmation if these are false positives?
    • com/crystaldecisions/sdk/plugin/destination/ftp/internal/FTP.java
         private static final String DEFAULT_PASS = "BusinessObjects.com";
         static final String DUMMY_PASSWORD = "********";
    • com/crystaldecisions/sdk/plugin/destination/sftp/internal/SFTP.java                        
         private static final String DEFAULT_PASS = "BusinessObjects.com";
         static final String DUMMY_PASSWORD = "********";
    • com/crystaldecisions/enterprise/ocaframework/SSLConfigParameters.java
         public static final String CMDLINESWITCH_PASSPHRASE = "ssl_mykey_passphrase";
    • Module: BOE.war/cecore.jar Location: com/crystaldecisions/sdk/framework/internal/TrustedPrincipal.class
          public static final String SHARED_SECRET_PROP_NAME = "SharedSecret";


Read more...

Environment

SAP BI Business Objects exact version: SAP BI Platform 4.2 SP08 patch 09 [ 4.2 / 4.3 latest SPs and patches ]
O.S Version (Linux/Windows): All supported OS
CMS database: All supported DB

Product

SAP BusinessObjects Business Intelligence platform 4.2 ; SAP BusinessObjects Business Intelligence platform 4.3

Keywords

BI 4.2 4.3 hard coded passwords default_pass dummy_password cmdlineswitch_passphrase , KBA , BI-BIP-DEP , Webapp Deployment, Networking, Vulnerabilities, Webservices , Problem

About this page

This is a preview of a SAP Knowledge Base Article. Click more to access the full version on SAP for Me (Login required).

Search for additional results

Visit SAP Support Portal's SAP Notes and KBA Search.