Critical Vulnerability in SAP NetWeaver AS Java
Severity Rating: HIGH
Software Affected
SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer
versions (up to SAP NetWeaver 7.5).
Potentially vulnerable SAP business solutions include any SAP Java-based
solutions such as (but not limited to):
· SAP Enterprise Resource Planning, SAP Product Lifecycle
Management,
· SAP Customer Relationship Management,
· SAP Supply Chain Management,
· SAP Supplier Relationship Management,
· SAP NetWeaver Business Warehouse,
· SAP Business Intelligence,
· SAP NetWeaver Mobile Infrastructure,
· SAP Enterprise Portal,
· SAP Process Orchestration/Process Integration),
· SAP Solution Manager,
· SAP NetWeaver Development Infrastructure,
· SAP Central Process Scheduling,
· SAP NetWeaver Composition Environment, and
· SAP Landscape Manager.
Overview
A critical vulnerability has been reported in SAP NetWeaver AS Java product
which could allow an unauthenticated attacker to take control of trusted
SAP applications.
Description
This vulnerability exists due to lack of authentication in a web component
of the SAP NetWeaver AS for Java allowing for several high-privileged
activities on the SAP system. An unauthenticated remote attacker can
exploit this vulnerability through an HTTP interface, which is typically
exposed to end users and, in many cases, exposed to the internet.
Successful exploitation of this vulnerability could allow a remote
unauthenticated attacker to obtain unrestricted access to SAP systems
through the creation of high-privileged users, cause execution of arbitrary
operating system commands with the privileges of the SAP service user
account, obtain unrestricted access to the SAP database and is able to
perform application maintenance activities, such as shutting down federated
SAP applications.
Solution
Apply appropriate patches and updates as mentioned in SAP Security Patch.
Vendor Information
SAP
References
CISA, US-CERT
ONAPSIS
CVE Name
CVE-2020-6287
About Cert Advisory
We have created this blog to provide latest security advisory from the india cert for the security vulnerability, threats, attacks and patching required to mitigate any kind of cyber attacks.