Recon: critical vulnerability affecting all SAP systems

Name: Skinn Branding Agency
Price range: $

Jul 17, 2020

A vulnerability has been discovered, which makes it possible to create SAP users with maximum privileges without the need to authenticate. The vulnerability known as RECON (Remotely Exploitable Code on NetWeaver) has received a CVSS (threat severity) rating of 10/10, which means it is considered extremely critical. The problem exists in all NetWeaver Java systems with release 7.30, 7.31, 7.40 or 7.50.

Action:

Apply the patch described in SAP note 2934135 - [CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard). The note contains download links for all AS Java versions.
As a temporary workaround, disable the tc~lm~ctc~cul~startup_app application as described in Note 2939665. This application is not needed during normal operation.

It is of the utmost importance to apply this patch, and initially the workaround, as soon as possible. The threat posed by this security flaw cannot be overstated: a malicious intruder who obtains full privileges could arbitrarily steal, corrupt or destroy business data.

About the author

Mark Mergaerts

Mark Mergaerts has more than 25 years of experience in SAP Basis Consulting. He knows the ins and outs of databases and landscapes and is highly experienced in performance and tuning of ABAP systems and the adapting of customer code when migrating to a different database platform.