Critical Vulnerability in SAP NetWeaver Application Server Java (CVE-2020-6287)

Published on 14 Jul 2020

Updated on 14 Jul 2020

SAP has released a security update to address a critical vulnerability (CVE-2020-6287) affecting the SAP NetWeaver Application Server Java component Labour Management (LM) Configuration Wizard.

Successful exploitation of the vulnerability could allow an attacker to obtain unrestricted access to SAP systems, modify and extract sensitive information, and perform application maintenance activities such as shutting down federated SAP applications. 

The vulnerability is present by default in SAP applications running on top of SAP NetWeaver Application Server Java 7.3 and newer versions up to 7.5. 

Administrators of the affected applications are advised to install the latest security update immediately. Administrators who are unable to install the update immediately are advised to disable the LM Configuration Wizard Service to mitigate the vulnerability.

More information is available here:

https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=552599675

https://www.us-cert.cisa.gov/ncas/alerts/aa20-195a