Warning Critical Vulnerability in SAP NetWeaver AS Java
Sources
https://us-cert.cisa.gov/ncas/alerts/aa20-195a
Risks
A remote unauthenticated attacker can exploit this vulnerability through the Hypertext Transfer Protocol (HTTP) to take control of trusted SAP applications. The attacker can use the exploit to create high-privileged users and execute arbitrary operating system commands.
This vulnerability can have a severe impact on your business, successful exploitation means a full compromise of vulnerable SAP installations, An attacker can modify or extract of highly sensitive information, or disrupt critical business processes.
Description
This vulnerability is present by default in SAP applications running on top of SAP NetWeaver AS Java 7.3 up to SAP NetWeaver 7.5.
Potentially vulnerable SAP business solutions include any SAP Java-based solutions such as (but not limited to):
SAP Enterprise Resource Planning,
SAP Product Lifecycle Management,
SAP Customer Relationship Management,
SAP Supply Chain Management,
SAP Supplier Relationship Management,
SAP NetWeaver Business Warehouse,
SAP Business Intelligence,
SAP NetWeaver Mobile Infrastructure,
SAP Enterprise Portal,
SAP Process Orchestration/Process Integration),
SAP Solution Manager,
SAP NetWeaver Development Infrastructure,
SAP Central Process Scheduling,
SAP NetWeaver Composition Environment, and
SAP Landscape Manager.
Recommended Actions
CERT.be recommends system administrators to apply the latest patches released by the vendor as soon as possible.
When patching, external facing systems should be prioritised.
Patched versions of the affected components are available at the SAP One Support Launchpad (login required).