SAP Releases Security Update for NetWeaver AS

Threat ID:: CC-3549
Threat Severity:: Low
Published:: 15 July 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Affected platforms

The following platforms are known to be affected:

SAP NetWeaver Application Server

Threat details

Vulnerability

SAP has released details of a critical vulnerability affecting their NetWeaver Application Server (AS) product. They claim that a remote unauthenticated attacker could exploit this vulnerability to take control of an affected system.

The vulnerability lies in the Java LM Configuration Wizard used by NetWeaver AS, which by default does not properly authenticate user inputs over HTTP.

Remediation advice

SAP has addressed this vulnerability in security note 2934135. Affected organisations are encouraged to apply this update immediately.

CVE Vulnerabilities

Status Master

CVE-2020-6287

SAP NetWeaver AS JAVA (LM Configuration Wizard), versions - 7.30, 7.31, 7.40, 7.50, does not perform an authentication check which allows an attacker without prior authentication to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system, leading to Missing Authentication Check.

Last edited: 16 July 2020 12:10 pm