AlertsSAP NetWeaver Java Vulnerability

Number: AL20-019
Date: 14 July 2020

AUDIENCE

This Alert is intended for IT professionals and managers of notified organizations. Recipients of this information may redistribute it within their respective organizations.

PURPOSE

An Alert is used to raise awareness of a recently identified cyber threat that may impact cyber information assets, and to provide additional detection and mitigation advice to recipients. The Canadian Centre for Cyber Security ("Cyber Centre") is also available to provide additional assistance regarding the content of this Alert to recipients as requested.

OVERVIEW

SAP NetWeaver Application Server Java, a core component of multiple SAP products, contains a vulnerability that could be exploited in order to gain full control of SAP applications.

DETAILS

On 14 July 2020 SAP released a security update to address a critical vulnerability, tracked as CVE-2020-6287, affecting the LM Configuration Wizard in SAP NetWeaver Application Server Java.  An unauthenticated actor could exploit this vulnerability to take control of SAP applications by creating highly privileged SAP users able to view, modify or extract sensitive information, or interfere with business processes implemented by the system.

The following SAP applications could be affected:

  • Enterprise Resource Planning;
  • Product Lifecycle Management;
  • Customer Relationship Management;
  • Supply Chain Management;
  • Supplier Relationship Management;
  • NetWeaver Business Warehouse;
  • Business Intelligence;
  • NetWeaver Mobile Infrastructure;
  • Enterprise Portal;
  • Process Orchestration/Process Integration;
  • Solution Manager;
  • NetWeaver Development Infrastructure;
  • Central Process Scheduling;
  • NetWeaver Composition Environment; and
  • Landscape Manager.

Of particular concern are cases, confirmed by open source research, in which the NetWeaver Application Server web interface is exposed on an externally accessible interface.

SUGGESTED ACTION

The Cyber Centre encourages those organizations operating SAP environments to refer to SAP Security Note 2934135 (login required) and proceed as soon as possible with the specified patching of affected Internet-facing servers first, followed by affected internal servers.
In addition, administrators should monitor systems closely for the presence of new, unexpected or unrecognized user accounts.

REFERENCES

Cyber Centre Advisory on SAP security patch day
https://www.cyber.gc.ca/en/alerts/sap-security-advisory-6
 
SAP software updates portal (login required)
https://launchpad.support.sap.com/
 
Onapsis NetWeaver Application Server for Java vulnerability research “RECON”
https://www.onapsis.com/recon-sap-cyber-security-vulnerability
 
Cybersecurity & Infrastructure Security Agency (US) Alert (AA20-195A)
https://us-cert.cisa.gov/ncas/alerts/aa20-195a
 
NOTE TO READERS
The Canadian Centre for Cyber Security (Cyber Centre) operates as part of the Communications Security Establishment.  We are Canada's national authority on cyber security and we lead the government's response to cyber security events. As Canada's national computer security incident response team, the Cyber Centre works in close collaboration with government departments, critical infrastructure, Canadian businesses and international partners to prepare for, respond to, mitigate, and recover from cyber events. We do this by providing authoritative advice and support, and coordinating information sharing and incident response. The Cyber Centre is outward-facing, welcoming partnerships that help build a stronger, more resilient cyber space in Canada.

Date modified: