The Onapsis Blog

The world of business-critical application security is dynamic, with new developments happening on a continuous basis. Check out our blog for recommendations, insights and observations on the latest news for securing your SAP®, Oracle® and Salesforce applications.

SAP RFC Read Table: Accessing Arbitrary Tables in SAP

SAP RFC Read Table: Accessing Arbitrary Tables in SAP

There is no function module discussed more frequently in the SAP community than the function module RFC_READ_TABLE. This remote-enabled function module allows generic read access to arbitrary tables, and almost every software vendor who offers non-ABAP software for SAP solutions or who provides interfaces/extractors for SAP solutions will sooner or later evaluate it. Even ABAP Add-On providers whose software needs to access all systems of an SAP landscape often use the function module to overcome the need for installing their Add-On on all systems of a customer, keeping total costs of ownership (TCO) at a minimum level. 

This blog discusses the new options within RFC_READ_TABLE and the security aspects of the function module.

A Ubiquitous Module

As of June 2022, a search for RFC_READ_TABLE in the SAP Support Portal results in 347 SAP Notes. A lot of these notes refer to the fact that the function module has not been released by SAP for customer usage, so support and maintenance is not guaranteed. Considering the RFC_READ_TABLE function module has been around for 27 years, this warning about support is usually ignored. It is also ignored because more and more SAP standard applications started to use it or a clone of it to overcome some limitations. A search on remote-enabled function modules in table TFDIR with pattern *RFC*READ*TABLE* on an SAP NW AS ABAP 7.56 system leads to 17 additional hits:

  • /BODS/RFC_READ_TABLE
  • /BODS/RFC_READ_TABLE2
  • /BODS/RFC_READ_TABLE_FIL
  • /BODS/RFC_STREAM_READ_TABLE
  • /PM0/ABC_IBC_RFC_READ_TABLE
  • /SAPDS/RFC_READ_TABLE
  • /SAPDS/RFC_READ_TABLE2
  • /SAPDS/RFC_READ_TABLE_FILE
  • /SAPDS/RFC_STREAM_READ_TABLE
  • BBP_RFC_READ_TABLE
  • CNVCF_CCE_RFC_READ_TABLE
  • CNVCF_CCE_RFC_READ_TABLE_2
  • CNVCF_CCE_RFC_READ_TABLE_TMP
  • CNVCF_CCE_RFC_READ_TABLE_UNI
  • CNV_CMIS_A_20_RFC_READ_TABLE
  • EHPRC_MIGRATION_RFC_READ_TABLE
  • RFC_READ_ALLOC_TABLE

Almost all of them were either created as a copy of RFC_READ_TABLE and extended afterwards or they act as a wrapper to add some additional coding before calling RFC_READ_TABLE internally.

Limitations

Some technical limitations of RFC_READ_TABLE are:

  • Only tables with simple data types can be read (e.g., no support of STRING or XSTRING fields);
  • The maximum line width is 512 characters;
  • Number of returned records limited by memory thresholds.

The missing support for STRING fields was one of the main reasons why all those aforementioned clones were created by SAP internally. Therefore, as of May 2021, SAP extended the capabilities of the function module in the following ways:

  • Support for more simple data types, including STRING and XSTRING;
  • Unlimited line width (optional new EXPORT structure ET_DATA);
  • Selection sorted by primary key.

However, there are some compatibility aspects and issues that require special attention:

  • As a result of the extended capabilities, RFC_READ_TABLE accepts only type-compliant WHERE conditions. In older DBI versions, tolerated errors such as SPRAS = 'EN' or LANGU = 'DE' now generate the runtime error SAPSQL_DATA_LOSS. The correct notation for the specified example is SPRAS = 'E' or LANGU = 'D'. While the usage of MANDT in the WHERE condition only led to empty results in the past, it will now trigger an exception.
  • When using parentheses in the OPTION table for the WHERE condition, the extended RFC_READ_TABLE expects a blank after the opening and before the closing parenthesis. Otherwise, an OPTION_NOT_VALID exception is raised.
     
  • Customers should apply SAP Note #3139000 immediately after implementing note #2246160, since the latter one introduces a bug that affects the sequence of the returned field values.
     
  • Some intermediate versions of the extension were shipped by SAP with newer SAP NetWeaver versions and contain some strange bugs. As an example, we faced an issue in SAP NetWeaver 7.56 SP0 with split WHERE conditions. There were dumps generated until we inserted an extra blank in front of each line. This behavior disappeared after applying note #2246160.

The extensions of RFC_READ_TABLE can be implemented with the corrections attached to SAP Note #2246160 or with the corresponding support package. Unfortunately, the note only provides the extensions for SAP NetWeaver version 7.40 and above.


Regarding Security

SQL Injection

Probably the most dangerous aspect of a dynamic SQL interface is the risk of a SQL injection attack. With the extensions of SAP Note #2246160, the function module checks the provided WHERE condition for critical SQL keywords that indicates an SQL injection attempt. From a customer perspective, the protection against SQL injection is the most important reason to apply the SAP Note. 

System Protection

The possibility of reading arbitrary table data from outside an SAP system represents a serious security issue. The following protection measurements can be considered.

If you don’t want to allow any call of RFC_READ_TABLE in the system:

  • On SAP systems ≥ SAP NetWeaver 7.40, the Unified Connectivity (“UCON”) framework can be used to block any call of the function module. Use the Logging mode in advance to check for any necessary call of the function module.
     

If calls of RFC_READ_TABLE are needed in some areas:

  • Don’t assign roles to users with generic values for the following authorization objects:
    • S_RFC
    • S_TABU_DIS
    • S_TABU_NAM
  • Assign roles with authorizations on S_RFC with the function group SDTX or function name RFC_READ_TABLE only to the users involved in the corresponding RFC scenarios.
     
  • The role(s) assigned to the involved users should only allow table access to the required tables (authorization objects S_TABU_DIS or S_TABU_NAM)

 

SAP Note #2246160 provides two new allow lists (i.e., application rules) in transaction SLDW that are checked by RFC_READ_TABLE:

  • RFC_READ_TABLE_CALL
    • This rule contains the local programs allowed to call RFC_READ_TABLE
  • RFC_READ_TABLE_TABL
    • This rule contains the tables allowed to be accessed via RFC_READ_TABLE

The advantage of managing system access via allow lists is that these restrictions are independent of any user authorizations and are therefore more transparent. You can use the logging functionality in transaction SLDW to initially determine the required entries for both allow lists to match with your daily operation requirements.

The RFC_READ_TABLE_TABL allow list also controls the behavior of the function module in case of a critical finding in the SQL injection analysis. If the allow list is activated, a critical statement will be blocked. Otherwise, it will be executed and logged in the Security Audit Log (Event EUU).  
 

Conclusion

While the function module RFC_READ_TABLE has not been officially released by SAP for external usage, it can be seen as the de facto standard when data must be read from outside a system. There is no official access method available (e.g. a matching BAPI function module). The function module was initially created in 1995 with limited capabilities and the status ‘Not released for customer’ still holds true. However, it seems that SAP insists on this status mainly because they want to have more control about if and when new options or bug fixes are implemented into the function module. The extensions released in May 2021 have introduced significant new functionalities and - even more important - they have added two additional security layers by adding SQL injection protection and by introducing allow lists.   

References

SAP Note   109533: Use of SAP function modules
SAP Note   382318: FAQ | Function module RFC_READ_TABLE
SAP Note 2246160: Enhancement RFC_READ_TABLE (7.40+)
SAP Note 3139000: RFC_READ_TABLE  Column order in results table 

 

Secure your 
business-critical SAP,
Oracle, Salesforce
and SaaS apps

Get a firsthand look at the visibility, reporting and automation capabilities provided by The Onapsis Platform by scheduling a personalized demo with our application security experts.

Request a demo