CVE-2020-26816

Name of the Vulnerable Software and Affected Versions SAP AS JAVA (Key Storage Service) versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50

Description The key material stored in the SAP NetWeaver AS Java Key Storage service is stored in the database in the DER encoded format and is not encrypted. This enables an attacker with administrator access to the SAP NetWeaver AS Java to decode the keys and get some application data and client credentials of adjacent systems, highly impacting Confidentiality.

Recommendations For SAP AS JAVA (Key Storage Service) versions 7.10, 7.11, 7.20, 7.30, 7.31, 7.40, 7.50, consider disabling access to the Key Storage service until a patch is available to encrypt the key material. Restrict access to the SAP NetWeaver AS Java to minimize the risk of exploitation. Avoid using the Key Storage service for sensitive data storage until the issue is resolved. At the moment, there is no information about a newer version that contains a fix for this vulnerability.