A note with CVSS 6.4 for component MDM-FN-MDS-SEC was released by SAP on 10.12.2019. The correction/advisory 2504979 was described with "Upgrade SSL support to TLSv1.2" and affects the system type Java.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as monthly patch process.
The vulnerability addressed is weak security function / cryptographic algorithm within Java.
Risk specificationMater Data Management supports SSLv3 which is vulnerable to multiple attacks from unauthenticated adversaries.
MDM now only supports TLS 1.2 with no fallback option to SSLv3.
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- MDM_JAVA_API 710
- MDM_CLIX 710 4
- MDM_IMP_SRV 710 4
- MDM_SYND_SRV 710 3
- MDM_IMPORT_MANAGER 710 4
- MDM_SYNDICATOR 710 4
- MDM_CONSOLE 710 4
- MDM_DATA_MANAGER 710 4
- MDM_DOTNET_API 710
- MDM_SHARED_INSTALL_CONTENT 710 4
- MDM_SERVER 7.1 4