Skip links

CVE-2020-6263 Authentication Bypass in Standalone Clients connecting to SAP NetWeaver AS Java via P4 Protocol, SAP security note 2878568

Description

Standalone clients connecting via Net Weaver AS Java P4 Protocol do not perform any authentication checks for operations that require user identity.

An unauthenticated attacker could obtain limited information about the deployment and potentially make the component unavailable for use by legitimate clients.

Available fix and Supported packages

  • SAP-JEECOR | 7.00 | 7.00
  • SAP-JEECOR | 7.01 | 7.02
  • SERVERCORE | 7.10 | 7.10
  • SERVERCORE | 7.11 | 7.11
  • SERVERCORE | 7.20 | 7.20
  • SERVERCORE | 7.30 | 7.30
  • SERVERCORE | 7.31 | 7.31
  • SERVERCORE | 7.40 | 7.40
  • SERVERCORE | 7.50 | 7.50
  • CORE-TOOLS | 7.00 | 7.02
  • CORE-TOOLS | 7.10 | 7.11
  • CORE-TOOLS | 7.20 | 7.20
  • CORE-TOOLS | 7.30 | 7.30
  • CORE-TOOLS | 7.31 | 7.31
  • CORE-TOOLS | 7.40 | 7.40
  • CORE-TOOLS | 7.50 | 7.50
  • J2EE ENGINE CORE TOOLS 7.00 | SP034 | 000003
  • J2EE ENGINE CORE TOOLS 7.01 | SP019 | 000003
  • J2EE ENGINE CORE TOOLS 7.02 | SP016 | 000007
  • J2EE ENGINE CORE TOOLS 7.02 | SP017 | 000004
  • J2EE ENGINE CORE TOOLS 7.02 | SP018 | 000004
  • J2EE ENGINE CORE TOOLS 7.02 | SP019 | 000003
  • J2EE ENGINE CORE TOOLS 7.10 | SP022 | 000002
  • J2EE ENGINE CORE TOOLS 7.10 | SP023 | 000002
  • J2EE ENGINE CORE TOOLS 7.10 | SP024 | 000002
  • J2EE ENGINE CORE TOOLS 7.10 | SP025 | 000000
  • J2EE ENGINE CORE TOOLS 7.11 | SP017 | 000002
  • J2EE ENGINE CORE TOOLS 7.11 | SP018 | 000002
  • J2EE ENGINE CORE TOOLS 7.11 | SP019 | 000002
  • J2EE ENGINE CORE TOOLS 7.11 | SP020 | 000000
  • J2EE ENGINE CORE TOOLS 7.20 | SP009 | 000029
  • J2EE ENGINE CORE TOOLS 7.30 | SP017 | 000004
  • J2EE ENGINE CORE TOOLS 7.30 | SP018 | 000003
  • J2EE ENGINE CORE TOOLS 7.30 | SP019 | 000004
  • J2EE ENGINE CORE TOOLS 7.30 | SP020 | 000001
  • J2EE ENGINE CORE TOOLS 7.31 | SP017 | 000008

Affected component

    BC-JAS-COR-RMT
    RMI, P4, CORBA, IIOP

CVSS

Score: 6.9
CVSS:3.0/AV:A/AC:L/PR:H/UI:N/S:C/C:L/I:N/A:H

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2878568

TAGS

#standalone-P4-server
#standalone-P4-client
#P4-server-socket
#&160-CVE-2020-6263