Report a cybercrime, cyber security incident or vulnerability.
Report

What are you looking for?

You can search for keywords to find pages that can help you e.g. scam
First published: 14 Jul 2020
Last updated: 14 Jul 2020

Content written for

Individuals & families
Small & medium business
Large organisations & infrastructure
Government

This vulnerability is being tracked as CVE-2020-6287. This vulnerability enables an unauthenticated malicious cyber actor to exploit this vulnerability through the Hypertext Transfer Protocol (HTTP), enabling an adversary to take control of trusted SAP applications.

Organisations unable to immediately apply the security patches should mitigate the vulnerability by disabling the LM Configuration Wizard service. Instructions to do this are available via the SAP One Support Launchpad (please see SAP Security Note #2939665).

If these options are unavailable or the mitigation actions cannot be completed immediately, the ASD’s ACSC recommends closely monitoring your SAP NetWeaver AS systems and logs for any unusual activity.

Affected products and versions

This vulnerability is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 and newer versions up to SAP NetWeaver 7.5. Potentially vulnerable SAP business solutions include any SAP Java-based solutions such as:

  • SAP Enterprise Resource Planning,
  • SAP Product Lifecycle Management,
  • SAP Customer Relationship Management,
  • SAP Supply Chain Management,
  • SAP Supplier Relationship Management,
  • SAP NetWeaver Business Warehouse,
  • SAP Business Intelligence,
  • SAP NetWeaver Mobile Infrastructure,
  • SAP Enterprise Portal,
  • SAP Process Orchestration/Process Integration),
  • SAP Solution Manager,
  • SAP NetWeaver Development Infrastructure,
  • SAP Central Process Scheduling,
  • SAP NetWeaver Composition Environment, and
  • SAP Landscape Manager.

What do I need to do?

The ASD’s ACSC strongly recommends organisations review SAP Security Note #2934135 for more information and apply critical security patches as soon as possible.

The ASD’s ACSC recommends prioritising these security patches over implementation of individual mitigations. When patching, external facing systems should be urgently addressed, followed by internal systems.

Patched versions of the affected components are available at the SAP One Support Launchpad

For further technical details and mitigation advice please refer to CISA Alert AA20-195A

Further information

 

Critical vulnerability for SAP NetWeaver Application Server (CVE-2020-6287)
Was this information helpful?

Thanks for your feedback!

Optional

Tell us why this information was helpful and we’ll work on making more pages like it