Description
Standalone clients connecting via Net Weaver AS Java P4 Protocol do not perform any authentication checks for operations that require user identity.
An unauthenticated attacker could obtain limited information about the deployment and potentially make the component unavailable for use by legitimate clients.
Available fix and Supported packages
- SAP-JEECOR | 7.00 | 7.00
- SAP-JEECOR | 7.01 | 7.02
- SERVERCORE | 7.10 | 7.10
- SERVERCORE | 7.11 | 7.11
- SERVERCORE | 7.20 | 7.20
- SERVERCORE | 7.30 | 7.30
- SERVERCORE | 7.31 | 7.31
- SERVERCORE | 7.40 | 7.40
- SERVERCORE | 7.50 | 7.50
- CORE-TOOLS | 7.00 | 7.02
- CORE-TOOLS | 7.10 | 7.11
- CORE-TOOLS | 7.20 | 7.20
- CORE-TOOLS | 7.30 | 7.30
- CORE-TOOLS | 7.31 | 7.31
- CORE-TOOLS | 7.40 | 7.40
- CORE-TOOLS | 7.50 | 7.50
- J2EE ENGINE CORE TOOLS 7.00 | SP034 | 000003
- J2EE ENGINE CORE TOOLS 7.01 | SP019 | 000003
- J2EE ENGINE CORE TOOLS 7.02 | SP016 | 000007
- J2EE ENGINE CORE TOOLS 7.02 | SP017 | 000004
- J2EE ENGINE CORE TOOLS 7.02 | SP018 | 000004
- J2EE ENGINE CORE TOOLS 7.02 | SP019 | 000003
- J2EE ENGINE CORE TOOLS 7.10 | SP022 | 000002
- J2EE ENGINE CORE TOOLS 7.10 | SP023 | 000002
- J2EE ENGINE CORE TOOLS 7.10 | SP024 | 000002
- J2EE ENGINE CORE TOOLS 7.10 | SP025 | 000000
- J2EE ENGINE CORE TOOLS 7.11 | SP017 | 000002
- J2EE ENGINE CORE TOOLS 7.11 | SP018 | 000002
- J2EE ENGINE CORE TOOLS 7.11 | SP019 | 000002
- J2EE ENGINE CORE TOOLS 7.11 | SP020 | 000000
- J2EE ENGINE CORE TOOLS 7.20 | SP009 | 000029
- J2EE ENGINE CORE TOOLS 7.30 | SP017 | 000004
- J2EE ENGINE CORE TOOLS 7.30 | SP018 | 000003
- J2EE ENGINE CORE TOOLS 7.30 | SP019 | 000004
- J2EE ENGINE CORE TOOLS 7.30 | SP020 | 000001
- J2EE ENGINE CORE TOOLS 7.31 | SP017 | 000008
Affected component
- BC-JAS-COR-RMT
RMI, P4, CORBA, IIOP
CVSS
Score: 6.9
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H
PoC
Detailed vulnerability information added to RedRays Security Platform. Contact [email protected] for details.
URL
https://launchpad.support.sap.com/#/notes/2878568