Critical Vulnerability In SAP NetWeaver AS Java (CVE-2020-6287 and CVE-2020-6286 )

www.basisguru.com

Recently SAP has released an security update to address the critical vulnerabilities in component LM Configuration Wizard of SAP Netweaver AS JAVA.
The vulnerability number is CVE-2020-6287.

CVE-2020-6287

LM configuration wizard in SAP NetWeaver AS JAVA does not perform authentication check which allows attacker to exploit this vulnerability through the Hypertext Transfer Protocol (HTTP).

Attacker without authentication can perform & execute critical operations like configuration tasks and user administration.
This can compromise the business systems availability ,data integrity and confidentiality.

CVE-2020-6286

Certain parameters in the SAP web services allows this unauthenticated attacker to download zip files to specific directory.

More details regarding these Common Vulnerabilities and Exposures can be found at:

Affected SAP Products

SAP NetWeaver AS JAVA (LM Configuration Wizard,component :LMCTC) based on versions – 7.30, 7.31, 7.40, 7.50 (as of 14.7.2020)

Solution for CVE-2020-6287 In SAP NW JAVA Systems.

SAP insists to apply this patch immediately to the affected SAP systems.

Workaround

SAP recommends disabling application tc~lm~ctc~cul~startup_app but this may not be the final solution.

For applications lower than SP 7.30 this could be helpful as this fix is available only for support packages released after May 2018.

Additionally SAP recommends this application (tc~lm~ctc~cul~startup_app) should be activated temporarily i.e. only during the specific tasks like initial technical setup.

  • We need to update only the LMCTC component. This component does not have any dependency on other stacks.
  • No other services/functionalities are affected and this action don’t even require downtime.

How To Disable LM Configuration Wizard

  • Navigate to NetWeaver administrator URL of your SAP JAVA stack system.
http://<hostname>:port/nwa
  • Go to path: Configuration -> Infrastructure -> Java HTTP Provider Configuration -> Application Aliases.
  • Uncheck below: ctcprotocol, CTCWebService and ctc/core
  • Save.