CVE-2020-6287: SAP NetWeaver AS JAVA Vulnerability Alert

Recently, SAP officially released a risk notification for high-risk vulnerability caused by the lack of identity authentication in SAP NetWeaver. The vulnerability number is CVE-2020-6287, and the vulnerability level is high-risk. SAP NetWeaver is SAP’s integrated technology platform and the technical foundation of all SAP applications since SAP Business Suite. SAP NetWeaver is a service-oriented application and integration platform that provides a development and running environment for SAP applications, and can also be used for custom development and integration with other applications and systems.

CVE-2020-6287

There is a lack of authentication in the LM configuration wizard of SAP NetWeaver AS Java. Unauthenticated remote attackers can perform harmful operations, including but not limited to creating administrator users. An attacker may gain access to adm, which is an operating system user, and it has unlimited access to all local resources related to the SAP system.

Affect version

  • SAP NetWeaver:7.30, 7.31, 7.40, 7.50

Among the potentially affected SAP solutions include

Solution

In this regard, we recommend that users install the latest patches in a timely manner to avoid being hacked. If the patch cannot be applied, the recommended solution is to disable the LM configuration.