This vulnerability is being tracked as CVE-2020-6287. This vulnerability enables an unauthenticated malicious cyber actor to exploit this vulnerability through the Hypertext Transfer Protocol (HTTP), enabling an adversary to take control of trusted SAP applications.
Organisations unable to immediately apply the security patches should mitigate the vulnerability by disabling the LM Configuration Wizard service. Instructions to do this are available via the SAP One Support Launchpad (please see SAP Security Note #2939665).
If these options are unavailable or the mitigation actions cannot be completed immediately, the ACSC recommends closely monitoring your SAP NetWeaver AS systems and logs for any unusual activity.
Affected products and versions
This vulnerability is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and newer versions up to SAP NetWeaver 7.5. Potentially vulnerable SAP business solutions include any SAP Java-based solutions such as:
- SAP Enterprise Resource Planning,
- SAP Product Lifecycle Management,
- SAP Customer Relationship Management,
- SAP Supply Chain Management,
- SAP Supplier Relationship Management,
- SAP NetWeaver Business Warehouse,
- SAP Business Intelligence,
- SAP NetWeaver Mobile Infrastructure,
- SAP Enterprise Portal,
- SAP Process Orchestration/Process Integration),
- SAP Solution Manager,
- SAP NetWeaver Development Infrastructure,
- SAP Central Process Scheduling,
- SAP NetWeaver Composition Environment, and
- SAP Landscape Manager.
What do I need to do?
The ACSC strongly recommends organisations review SAP Security Note #2934135 for more information and apply critical security patches as soon as possible.
The ACSC recommends prioritising these security patches over implementation of individual mitigations. When patching, external facing systems should be urgently addressed, followed by internal systems.
Patched versions of the affected components are available at the SAP One Support Launchpad
For further technical details and mitigation advice please refer to CISA Alert AA20-195A