SAP Security Notes, July 2020
Hot News Note 2934135 patches the critical RECON vulnerability in NetWeaver Application Server Java (AS Java). RECON targets a missing authentication flaw in the LM Configuration Wizard of AS Java to execute malicious code that creates administrative users in compromised systems. Attackers can exploit RECON to compromise not only AS Java systems but also connected systems.
Note 2934135 introduces authentication and authorization for the LM Configuration Wizard and therefore secures against RECON attacks. KBA 2948106 includes FAQs to support the implementation of the note. As a workaround, the application tc~lm~ctc~cul~startup_app can be disabled if the note cannot be applied. Procedures for disabling the LM Configuration Wizard are detailed in SAP Note 2939665.
Note 2932473 removes a high-risk information disclosure vulnerability in the XMLToolkit of AS Java. The vulnerability could be exploited to read arbitrary files including files containing sensitive system configuration data.
Note 2734580 includes updated instructions for patching another information disclosure vulnerability impacting AS ABAP. Note 2091403 should be implemented as a prerequisite for 2734580.