CVE-2023-30744

Name of the Vulnerable Software and Affected Versions SAP AS NetWeaver JAVA versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50

Description The issue is related to the lack of authentication for a critical function in SAP AS NetWeaver JAVA, allowing an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API. This can enable the attacker to instantiate an object with methods that can be called without further authorization and authentication, potentially reading or changing the state of existing services without affecting availability.

Recommendations For SAP AS NetWeaver JAVA versions SERVERCORE 7.50, J2EE-FRMW 7.50, CORE-TOOLS 7.50, consider restricting access to the open interface and the open naming and directory API to minimize the risk of exploitation. As a temporary workaround, consider disabling the vulnerable methods until a patch is available. Restrict access to the vulnerable object instantiation to prevent unauthorized changes to the state of existing services. At the moment, there is no information about a newer version that contains a fix for this vulnerability.