Description:
Critical vulnerability identified for SAP Systems based on SAP JAVA Stack.
The RECON (Remotely Exploitable Code On NetWeaver) vulnerability has a CVSS score of 10 out of 10 (the most severe)
Symptom:
LM Configuration Wizard of SAP NetWeaver AS JAVA, does not perform an authentication check which allows an attacker without prior authentication, to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.
Systems Excluded:
Customers running SAP BPC Microsoft (all versions) are NOT impacted and there is no action required on their BPC systems.
Systems Affected:
This vulnerability impacts customers running SAP systems, based on SAP AS JAVA (based on SAP NW 7.3, NW 7.31, 7.4 and 7.5). Here are examples of some of the SAP systems which may have active JAVA stack and may be affected: SAP ERP, SAP Solution Manager, SAP Enterprise Portal, SAP BW, SAP CRM etc.
Customers running NetWeaver BPC (all versions) run on SAP ABAP stack and this vulnerability does not affect ABAP stack systems. However if customers run BPC NW on a BW system dual stack (ABAP and JAVA both installed), this will impact the JAVA stack and the below information should be reviewed.
Cause:
The LM Configuration Wizard of SAP NetWeaver AS JAVA, does not perform an authentication check which allows an attacker without prior authentication, to execute configuration tasks to perform critical actions against the SAP Java system, including the ability to create an administrative user, and therefore compromising Confidentiality, Integrity and Availability of the system.
Resolution:
Apply patch update to the LM update configuration wizard component, based on your system. (NOTE - The following are links to SAP notes and will require a S-user id on SAP Marketplace)
If the patch cannot be applied, then atleast disable the tc~lm~ctc~cul~startup_app application as described in the Note 2939665.
The Note 2939665 is a workaround and a defense in depth, but not a solution.
It is recommended to disable the tc~lm~ctc~cul~startup_app application unless needed. This application is used by a few SAP Lifecycle procedures only, such as the initial technical setup. It is not needed for a day-to-day operations. This application can be temporarily activated or enabled for executing the SAP lifecycle procedures.
Additional information can be seen here:
- https://launchpad.support.sap.com/#/notes/2948106
- https://wiki.scn.sap.com/wiki/pages/viewpage.action?pageId=547426775
If you still have performance concerns having followed the above guidance or other technical issues, please contact Column5. In addition to immediate technical support help, our technical services team offers a wide range of performance tuning and technical environment review options.
Related Articles:
Author Bio:
Vishal Goradia,
Vishal has extensive hands on consulting experience in all aspects of SAP Basis Administration including System upgrades, OS/DB migrations, System Refresh, Support Packs, Add-on installations, and Performance Tuning to name a few.
He's experienced in installation, maintenance, administration of SAP BPC v7.5, v10, and v11.x platforms, across multiple operating systems and database scenarios. He's also supported BPC environments on BW 7.0 on NW 7.0, 7.3 and also 7.4 platforms.
