Fwd: [CIVN-2020-0281] Critical Vulnerability in SAP NetWeaver AS Java

Critical Vulnerability in SAP NetWeaver AS Java

Severity Rating: HIGH

Software Affected 

SAP applications running on top of SAP NetWeaver AS Java 7.3 and any newer

versions (up to SAP NetWeaver 7.5).

Potentially vulnerable SAP business solutions include any SAP Java-based

solutions such as (but not limited to):

·         SAP Enterprise Resource Planning, SAP Product Lifecycle

Management,

·         SAP Customer Relationship Management,

·         SAP Supply Chain Management,

·         SAP Supplier Relationship Management,

·         SAP NetWeaver Business Warehouse,

·         SAP Business Intelligence,

·         SAP NetWeaver Mobile Infrastructure,

·         SAP Enterprise Portal,

·         SAP Process Orchestration/Process Integration),

·         SAP Solution Manager,

·         SAP NetWeaver Development Infrastructure,

·         SAP Central Process Scheduling,

·         SAP NetWeaver Composition Environment, and

·         SAP Landscape Manager.

Overview

A critical vulnerability has been reported in SAP NetWeaver AS Java product

which could allow an unauthenticated attacker to take control of trusted

SAP applications.

Description

This vulnerability exists due to lack of authentication in a web component

of the SAP NetWeaver AS for Java allowing for several high-privileged

activities on the SAP system. An unauthenticated remote attacker can

exploit this vulnerability through an HTTP interface, which is typically

exposed to end users and, in many cases, exposed to the internet.

Successful exploitation of this vulnerability could allow a remote

unauthenticated attacker to obtain unrestricted access to SAP systems

through the creation of high-privileged users, cause execution of arbitrary

operating system commands with the privileges of the SAP service user

account, obtain unrestricted access to the SAP database and is able to

perform application maintenance activities, such as shutting down federated

SAP applications.

Solution

Apply appropriate patches and updates as mentioned in SAP Security Patch.

Vendor Information

SAP

References

CISA, US-CERT

ONAPSIS

CVE Name

CVE-2020-6287