2948106 - FAQ - for SAP Note 2934135 - [CVE-2020-6287] Multiple Vulnerabilities in SAP NetWeaver AS JAVA (LM Configuration Wizard)

1. Is it possible to get the fix for lower SP's?

2. If AS Java system is on a lower SP and is going to upgrade it, is there any dependency?

3. Is it possible to upgrade LMCTC only? Or do they need to upgrade the whole stack?

4. Does deactivating the application aliases as described in SAP Note 2939665 completely eliminate the danger of an attack or not?

5. Is there any impact for other applications when the workaround from SAP Note 2939665 will be applied?

6. For the SAP system lower than NW7.30 AS Java (e.g. NW7.0#, NW 7.1#), which steps are required?

7. Are the SuccessFactors modules affected by this vulnerability?

8. Is applying the patch sufficient or we need to perform the workaround also after patching?

9. Is the SAP System affected when the SP level and/or patch level of LM CONFIGURATION WIZARD is  - lower - then the written version in SAP Note 2934135, what can be done there? (e.g. the current System has LM CONFIGURATION WIZARD 7.40 SP12 or LM CONFIGURATION WIZARD 7.50 SP10)

10. Is the SAP System affected when the SP level and/or patch level of LM CONFIGURATION WIZARD is - higher -  then the written version in SAP Note 2934135, what can be done there? (e.g. the current System has LM CONFIGURATION WIZARD 7.50 SP25 PL0?

11. Is the AS ABAP only System affected?

12. How to verify if the vulnerability is mitigated after applying the patch or deactivating the application aliases?

13. Manual deployment using telnet option (according the SAP Note 1715441) finished with Warning(s), what you should i do?

All SP’s of all Java Stack of AS Java or AS ABAP+Java Systems based on SAP NetWeaver 7.30, 7.31, 7.40, 7.50

• OS independent;
• DB independent.

KBA , BC-INS-CTC , Central technical configuration , Problem