DESCRIPTION:
An authentication bypass vulnerability (CVE-2020-6287) exists in SAP NetWeaver AS JAVA (LM Configuration Wizard) due to insufficient authentication checks. An unauthenticated, remote attacker can exploit this by executing configuration tasks that perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.
AFFECTED RELEASES:
SAP NetWeaver AS JAVA versions 7.30, 7.31, 7.40, 7.50
SOLUTION:
1.Organizations of affected products are advised to apply the security updates immediately from the following URL:
https://launchpad.support.sap.com/#/notes/2934135
2. Organizations that are unable to immediately patch should mitigate the vulnerability by disabling the LM Configuration Wizard service (see https://launchpad.support.sap.com/#/notes/2939665 )
REFERENCE:
1.https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675
2.https://zh-tw.tenable.com/blog/cve-2020-6287-critical-vulnerability-in-sap-netweaver-application-server-java-disclosed-recon
3.https://us-cert.cisa.gov/ncas/alerts/aa20-195a