SAP has recently released a very high priority SAP Note 2934135 for the critical vulnerability in the SAP Netweaver Java systems. This bug is named as RECON (Remotely Exploitable Code On NetWeaver) and has a CVSS v3.0 Base Score rating as 10 out of 10.
What needs to be done?
If your company has implemented SAP as the enterprise solution or if you support a customer with SAP landscape then you will need to act on fixing this vulnerability in all the SAP JAVA systems on high priority as this vulnerability has the top rating score in terms of threat to your SAP systems.
You can refer to below blogs for more details on the RECON bug:
https://www.zdnet.com/article/recon-bug-lets-hackers-create-admin-accounts-on-sap-servers/
https://onapsis.com/recon-sap-cyber-security-vulnerability
Which SAP Java systems are impacted?
All Support packs of SAP NetWeaver AS Java 7.30, 7.31, 7.40 and 7.50 are affected
SAP systems having release NW 7.0x ( example NW 7.0, NW 7.02, NW 7.03 etc)
No action is required as these releases are not vulnerable. You can skip this blog if your SAP JAVA systems have this release, though I would suggest you recommend the upgrade of these SAP systems to your customer since they are already out of SAP standard maintenance.
SAP systems having release 7.1x and 7.2x ( example NW 7.1, 7.11 etc)
Though these release are not vulnerable, however SAP still recommends to apply the workaround solution mentioned in SAP Note 2939665 as defense in depth. You can refer to point 6 of SAP Note 2948106 for further details on this recommendation and you can skip the below post.
SAP systems having release 7.30 or higher (example 7.30, 7.31, 7.40 and 7.50)
Apply the permanent Solution mentioned in this blog below.
How to Check the LMCTC component release and Support pack?
Open the URL of your SAP JAVA system: http://<hostname>:5<instance number>00 and click on System Information. Go to components Info and search for LMCTC in the Name field like below
The version of the component for above system is 7.31 Support pack 22 patch level 0. You need to find the support pack and patch level of the LMCTC component to understand the below permanent fix and apply it correctly.
How to apply the permanent fix?
The permanent solution for this bug is to apply the LMCTC (LM Configuration Wizard) component patch mentioned in the SAP Note 2934135 in the SAP Netweaver JAVA systems.
As there is not much clarity around the systems in which the LMCTC component has support pack lower than those mentioned in this SAP note, many customers have implemented the workaround mentioned in the SAP note 2939665 or they are going ahead with whole support pack stack update for SAP java systems to patch the LMCTC component.
There is no need to upgrade the whole support pack stack of SAP JAVA system for this fix as you can upgrade the LMCTC component of your system independently of other components by using the below procedure.
First of all, you need to determine the support pack and patch level of system's LMCTC component as mentioned in section above.
Case 1: The support pack of your system's LMCTC component is listed in section "Support package packages" of SAP note 2934135
Apply the patch using SUM tool option "Manually prepared directory"
For example, your system has component LMCTC 7.31 on support pack 23 PL 0 then as this SAP note has PL 1 for your support pack 23, you can directly apply PL1 for your support pack using SUM tool option "Manually prepared directory".
Case 2: The support pack of your system's LMCTC component is not listed in SAP note 2934135 or you have lower support pack than mentioned in this note.
Apply the sap.com~tc~lm~ctc~cul~startup_app.ear file using telnet procedure
For example, your system has component LMCTC 7.31 on support pack 15 PL 0, then you can apply the first available patch of the support pack mentioned in this SAP note. Like for LMCT 7.31 first support pack mentioned in this note in SP 23 PL1, so you can apply this patch using the below simple procedure of deploying one of the required ear file of this patch through telnet.
Though you can also undeploy the file using telnet however as SAP generally recommends using the offline backup as the backout plan for any failures, I would recommend taking offline backup before deployment as your backout plan of this fix
1. Download the SCA file corresponding to the LMCTC version of the SAP system from the SAP Note 2934135 directly.
2. Extract the file sap.com~tc~lm~ctc~cul~startup_app.ear from DEPLOYARCHIVE folder of SCA file using winzip/winrar .
3. Place the file on any location of the SAP application server.
4. Create a text file with any name e.g deploy.txt and insert the full path of the ear file to be deployed.
5. Open telnet connection to the server (eg: telnet <hostname>:<telnet port>) and login with a J2EE administrator user. For telnet to work, user must be logged into the operating system, as remotely it may not work.
Default telnet port for your system is generally 5<system nr>08 , so you can open the command prompt (if windows) or ssh session (if Unix) and run the command : telnet 5<system nr>08
If you get the below telnet error while connecting to SAP java system, connect to telnet using sapmmc console
6. Key in Administrator user and password in the next screen
7. > lsc (to list the available server nodes)
> jump <server node> (usually jump 0)
8. > add deploy
> deploy list=< full location of deploy.txt created in step 4>
How to verify if the permanent fix is successful?
First of all, check that the deployed ear file version is updated in system info
Secondly, you will need to verify that the http call with method HEAD to CTCWebServiceBean of your SAP JAVA system returns the error as "401 unauthorized"
You cannot just call the URL "http://<host>:<port>/CTCWebService/CTCWebServiceBean" in your web browser since it would use the GET or POST method by default to this URL.
SAP suggests to use the CURL tool to call this URL with method HEAD, however as this tool is not installed by default in your machines so I have provided the Windows powershell command below to call the URL with method HEAD instead of installing the CURL tool on your machines
Open Windows powershell and run below command:
Invoke-RestMethod -Method 'Head' -Uri http://<host>:port>/CTCWebService/CTCWebServiceBean
This command should return the result as " Invoke-RestMethod : The remote server returned an error: (401) unauthorized."
SAP Reference Notes
SAP Note 2934135 : [CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)
SAP Note 2948106 : FAQ - for SAP Note 2934135 - [CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)
SAP Note 2939665 : Disable/Enable LM Configuration Wizard | Critical API's in LM Configuration Wizard