<img src="https://certify.alexametrics.com/atrk.gif?account=3HHNq1DlQy20Y8" style="display:none" height="1" width="1" alt="">
TA Banner 3

SAP EPM
Thought Leadership

[TECH ALERT] Critical vulnerability for SAP Systems on SAP JAVA Stack

Posted by
Vishal Goradia
Vishal Goradia
on Wed, Aug 12, 2020 @ 09:08 AM

Description:
Critical vulnerability identified for SAP Systems based on SAP JAVA Stack.
The RECON (Remotely Exploitable Code On NetWeaver) vulnerability has a CVSS score of 10 out of 10 (the most severe)

Critical vulnerability for SAP Systems on SAP JAVA Stack

Symptom:
LM Configuration Wizard of SAP NetWeaver AS JAVA, does not perform an authentication check which allows an attacker without prior authentication, to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.


Systems Excluded:
Customers running SAP BPC Microsoft (all versions) are NOT impacted and there is no action required on their BPC systems.

Systems Affected:
This vulnerability impacts customers running SAP systems, based on SAP AS JAVA (based on SAP NW 7.3, NW 7.31, 7.4 and 7.5).   Here are examples of some of the SAP systems which may have active JAVA stack and may be affected: SAP ERP, SAP Solution Manager, SAP Enterprise Portal, SAP BW, SAP CRM etc.

Customers running NetWeaver BPC (all versions) run on SAP ABAP stack and this vulnerability does not affect ABAP stack systems.  However if customers run BPC NW on a BW system dual stack (ABAP and JAVA both installed), this will impact the JAVA stack and the below information should be reviewed.

Cause:
The LM Configuration Wizard of SAP NetWeaver AS JAVA, does not perform an authentication check which allows an attacker without prior authentication, to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.

Resolution:
Apply patch update to the LM update configuration wizard component, based on your system.  (NOTE - The following are links to SAP notes and will require a S-user id on SAP Marketplace)

If the patch cannot be applied, then atleast disable the tc~lm~ctc~cul~startup_app application as described in the Note 2939665.

The Note 2939665 is a workaround and a defense in depth, but not a solution.

It is recommended to disable the tc~lm~ctc~cul~startup_app application unless needed. This application is used by a few SAP Lifecycle procedures only, such as the initial technical setup. It is not needed for a day-to-day operations. This application can be temporarily  activated or enabled for executing the SAP lifecycle procedures.

Additional information can be seen here:

If you still have performance concerns having followed the above guidance or other technical issues, please contact Column5. In addition to immediate technical support help, our technical services team offers a wide range of performance tuning and technical environment review options.  

 

contact us for help

Related Articles:

Author Bio:

VishalVishal Goradia,

Vishal has extensive hands on consulting experience in all aspects of SAP Basis Administration including System upgrades, OS/DB migrations, System Refresh, Support Packs, Add-on installations, and Performance Tuning to name a few.

He's experienced in installation, maintenance, administration of SAP BPC v7.5, v10, and v11.x  platforms, across multiple operating systems and database scenarios.  He's also supported BPC environments on BW 7.0 on NW 7.0, 7.3 and also 7.4 platforms.

 

Topics: Enterprise Performance Management (EPM), Performance, Technical

Subscribe

Recent Posts

Posts by Topic

see all

3  S T E P S

To Enhance Your EPM Performance:

 1.Get Your Ultimate Guide to Improving SAP EPM Performance

ebook 2

 Learn what could be contributing to your poor performance and how to diagnose common problems. Get tips that will empower you and your team to improve the  performance  of your system in order to get the most out of your SAP EPM Investment.

Get the e-Book

 

2.  Test Your BPC Performance 

Benchmark 2

Get a BPC performance report card and custom report to identify performance issues you may not even know you have.

Test my BPC

 

  3. Get Your EPM Assessment  

Assessment

Our assessment delivers a complete, best practice roadmap for you to follow.  We’ll work together to assess what you need to pivot your financial forecasting, planning, reporting and analysis to handle the compressed requirements from the volatile COVID-19 environment. 

New Assessment