SAP NetWeaver RECON CVE-2020-6287
Description
SAP NetWeaver Application Server (AS) JAVA contains a critical authentication bypass vulnerability in the LM Configuration Wizard component. This flaw allows unauthenticated remote attackers to access administrative configuration functions without providing valid credentials, enabling them to execute privileged configuration tasks that should be restricted to authorized administrators only.
Remediation
Apply SAP Security Notes #2934135 and #2939665 immediately to remediate this vulnerability. Follow these steps:
1. Download the required security patches from the SAP Support Portal (requires valid S-user credentials)
2. Review the security notes for specific affected versions and implementation instructions
3. Schedule a maintenance window as the patches may require system restart
4. Apply patches to all affected SAP NetWeaver AS JAVA systems, prioritizing internet-facing instances
5. Verify successful patch installation through the SAP Support Package Manager (SPAM/SAINT)
6. Confirm the LM Configuration Wizard now properly enforces authentication
7. Review system logs for any suspicious configuration changes that may have occurred prior to patching
As an interim mitigation if immediate patching is not possible, restrict network access to the LM Configuration Wizard interface using firewall rules or disable the component if not actively required.