A vulnerability has been discovered, which makes it possible to create SAP users with maximum privileges without the need to authenticate. The vulnerability known as RECON (Remotely Exploitable Code on NetWeaver) has received a CVSS (threat severity) rating of 10/10, which means it is considered extremely critical. The problem exists in all NetWeaver Java systems with release 7.30, 7.31, 7.40 or 7.50.
Action:
- Apply the patch described in SAP note 2934135 - [CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard). The note contains download links for all AS Java versions.
- As a temporary workaround, disable the tc~lm~ctc~cul~startup_app application as described in Note 2939665. This application is not needed during normal operation.
It is of the utmost importance to apply this patch, and initially the workaround, as soon as possible. The threat posed by this security flaw cannot be overstated: a malicious intruder who obtains full privileges could arbitrarily steal, corrupt or destroy business data.
