Advisory
A note with CVSS 6.9 for component BC-JAS-COR-RMT was released by SAP on 09.06.2020. The correction/advisory 2878568 was described with "[CVE-2020-6263] Authentication Bypass in Standalone Clients connecting to SAP NetWeaver AS Java via P4 Protocol" and affects the system type Java.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process.
The vulnerability addressed is missing authentication check denial of service (dos) within Java.
Risk specification
The P4 Client implementation does open an unauthenticated Server Socket allowing an unnatuthenticated attacker to obtain Information about the deployment or make the component unavailable for use by legitimate clients.Solution
The Server Socker is now deactivated by default. If it is needed, it can be reactivated via a Java property or an enviornment vairable.
Affected System
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- SAP-JEECOR 7.00 2
- SAP-JEECOR 7.01-7.02 2
- SERVERCORE 7.10 11
- SERVERCORE 7.11 11
- SERVERCORE 7.20 11
- SERVERCORE 7.30 12
- SERVERCORE 7.31 12
- SERVERCORE 7.40 11
- SERVERCORE 7.50 23
- CORE-TOOLS 7.00-7.02
- CORE-TOOLS 7.10-7.11 2
- CORE-TOOLS 7.20 2
- CORE-TOOLS 7.30 2
- CORE-TOOLS 7.31 2
- CORE-TOOLS 7.40 2
- CORE-TOOLS 7.50 3
