CVE-2020-6287: SAP NetWeaver AS JAVA Vulnerability Alert
Recently, SAP officially released a risk notification for high-risk vulnerability caused by the lack of identity authentication in SAP NetWeaver. The vulnerability number is CVE-2020-6287, and the vulnerability level is high-risk. SAP NetWeaver is SAP’s integrated technology platform and the technical foundation of all SAP applications since SAP Business Suite. SAP NetWeaver is a service-oriented application and integration platform that provides a development and running environment for SAP applications, and can also be used for custom development and integration with other applications and systems.
There is a lack of authentication in the LM configuration wizard of SAP NetWeaver AS Java. Unauthenticated remote attackers can perform harmful operations, including but not limited to creating administrator users. An attacker may gain access to adm, which is an operating system user, and it has unlimited access to all local resources related to the SAP system.
Affect version
- SAP NetWeaver:7.30, 7.31, 7.40, 7.50
Among the potentially affected SAP solutions include
- SAP Enterprise Resource Planning
- SAP Product Lifecycle Management
- SAP Customer Relationship Management
- SAP Supply Chain Management
- SAP Supplier Relationship Management
- SAP NetWeaver Business Warehouse
- SAP Business Intelligence
- SAP NetWeaver Mobile Infrastructure
- SAP Enterprise Portal
- SAP Process Orchestration/Process Integration
- SAP Solution Manager
- SAP NetWeaver Development Infrastructure
- SAP Central Process Scheduling
- SAP NetWeaver Composition Environment
- SAP Landscape Manager
Solution
In this regard, we recommend that users install the latest patches in a timely manner to avoid being hacked. If the patch cannot be applied, the recommended solution is to disable the LM configuration.
