Skip links

CVE-2020-6309 Missing Authentication check in SAP NetWeaver AS JAVA, SAP security note 2941315

Description

UPDATE 13th October 2020: This note has been re-released with updated ‘Support Packages & Patches’ information.

For the release ESI – WSRM 7.11, we added the Patch level 000001 under SP019.

For the release  ENGINEAPI 7.10, we added the  Patch level 000007 under SP024.

SAP NetWeaver application exposes a web service which does not perform any authentication checks leading to complete denial of service.

Available fix and Supported packages

  • ENGINEAPI | 7.10 | 7.10
  • WSRM | 7.10 | 7.11
  • WSRM | 7.20 | 7.20
  • WSRM | 7.30 | 7.30
  • WSRM | 7.31 | 7.31
  • WSRM | 7.40 | 7.40
  • WSRM | 7.50 | 7.50
  • J2EE-FRMW | 7.10 | 7.11
  • ENGINEAPI 7.10 | SP024 | 000007
  • ENGINEAPI 7.10 | SP025 | 000001
  • ESI – WSRM 7.10 | SP024 | 000001
  • ESI – WSRM 7.10 | SP025 | 000001
  • ESI – WSRM 7.11 | SP019 | 000001
  • ESI – WSRM 7.11 | SP020 | 000001
  • ESI – WSRM 7.20 | SP009 | 000005
  • ESI – WSRM 7.30 | SP019 | 000001
  • ESI – WSRM 7.30 | SP020 | 000001
  • ESI – WSRM 7.30 | SP021 | 000000
  • ESI – WSRM 7.31 | SP023 | 000001
  • ESI – WSRM 7.31 | SP024 | 000001
  • ESI – WSRM 7.31 | SP025 | 000001
  • ESI – WSRM 7.31 | SP026 | 000001
  • ESI – WSRM 7.31 | SP027 | 000000
  • ESI – WSRM 7.31 | SP028 | 000000
  • ESI – WSRM 7.40 | SP018 | 000001
  • ESI – WSRM 7.40 | SP019 | 000001
  • ESI – WSRM 7.40 | SP020 | 000001
  • ESI – WSRM 7.40 | SP021 | 000001

Affected component

    BC-ESI-WS-JAV-RT
    Runtime

CVSS

Score: 7.5
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

Exploit

Exploit is not available.
For detailed information please contact the mail [email protected]

URL

https://launchpad.support.sap.com/#/notes/2941315

TAGS

#broken-authentication
#missing-authentication
#&160-CVE-2020-6309&160