Financial Management Blogs by Members
Dive into a treasure trove of SAP financial management wisdom shared by a vibrant community of bloggers. Submit a blog post of your own to share knowledge.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Vulnerability that exposes SAP JAVA stack

former_member188476
Active Participant
‎07-14-2020 9:09 PM
Critical Vulnerability (RECON) found in SAP NetWeaver AS Java

RECON - Remotely Exploitable Code On Netweaver

Background 

July 13 US-CERT Alert, AA20-195A had been issued around SAP NetWeaver AS Java (LM Configuration Wizard) affecting versions - 7.30, 7.31, 7.40, 7.50

How this vulnerability exposes SAP critical APPS

According to SAP note 2934135 - LM Configuration Wizard of SAP NetWeaver AS JAVA, does not perform an authentication check which allows an attacker without prior authentication, to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity, and Availability of the system.

CVSS Score: 10.0; CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Systems Impacted

Potentially vulnerable SAP business solutions include any SAP Java-based solutions such as (but not limited to):

SAP Enterprise Resource Planning,
SAP Product Lifecycle Management,
SAP Customer Relationship Management,
SAP Supply Chain Management,
SAP Supplier Relationship Management,
SAP NetWeaver Business Warehouse,
SAP Business Intelligence,
SAP NetWeaver Mobile Infrastructure,
SAP Enterprise Portal,
SAP Process Orchestration/Process Integration),
SAP Solution Manager,
SAP NetWeaver Development Infrastructure,
SAP Central Process Scheduling,
SAP NetWeaver Composition Environment, and
SAP Landscape Manager.

Acknowledgments 
SAP and Onapsis contributed to this Alert. See the Onapsis report on the “RECON” SAP Vulnerability for more information.

SAP Patch Tuesday, July 2020 - https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

SAP Security Notes  -  https://launchpad.support.sap.com/#/notes/2947895

https://launchpad.support.sap.com/#/notes/2939665

https://launchpad.support.sap.com/#/notes/2934135

 

US-CERT - https://us-cert.cisa.gov/ncas/alerts/aa20-195a

If you are someone who is responsible for securing your ERP system, I would suggest getting in touch with Onapsis/ SAP to deploy the patch and apply compensating controls.


Anand Kotti

 

 

 

 

 
7 Comments
Labels in this area
Popular Blog Posts
Top kudoed authors
View all