On Tuesday, July 14th, SAP has released (SAP Marketplace User ID needed) a so-called SAP HotNews Security note with a CVSS score of 10, the highest score possible. This means the vulnerability is rated as very high and critical for the security of your SAP landscape. The vulnerability has been named #RECON after its possibility to execute REmote COde on Netweaver systems.
This is quite rare, as for this to happen, the vulnerability must be exploitable without any means of authentication and with a high impact and likelihood. CERT’s (Computer Emergency Response Teams) worldwide have issued alerts for this vulnerability. See for example, the one for the United States here.
The vulnerability resides in a core component of the SAP Java stack, a platform used widely amongst SAP customers. SAP Java stacks as of version 7.30 and higher are likely to be vulnerable. The impact of successful exploitation means a total compromise of your complete SAP Java stack and might even impact the rest of your SAP landscape due to SAP’s tight integration in the landscape. Especially when you have SAP Java stacks directly connected to the internet, you must take immediate action. This is not very uncommon, also see our conducted SAP internet research from earlier this year.
Patching the issue as soon as possible is advised, especially since exploits / PoC’s are being released already, for example, this python script on GitHub created by @_chipik. Even though this specific exploit does not fully utilize the vulnerability and only downloads ZIP files from the SAP system, it will probably only be a matter of days before more dangerous exploits will be released as the vulnerability is ranked as easy to exploit by the vendor. Some additional information can be found in SAP note 2948106 and 2947895 (SAP Marketplace User ID needed).
Detecting the issue can be done manually for this specific note by checking the version of SAP Java software component LMCTC, or by using the System Recommendations functionality in your SAP Solution Manager.
For a more thorough analysis of your complete SAP landscape for vulnerabilities, misconfigurations and other security-related threats, we offer a highly automated solution that checks this vulnerability and more than around 2000 other vulnerabilities throughout your SAP landscape. Try our complete functional solution for 30 days without cost (worth thousands of euros), no strings attached. See here for more information.