A note with CVSS 5.3 for component BC-JAS-DPL was released by SAP on 11.04.2023. The correction/advisory 3287784 was described with "[CVE-2023-24527] Improper Access Control in SAP NetWeaver AS Java for Deploy Service" and affects the system type Java.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance.
The vulnerability addressed is missing authentication check within Java.
Risk specificationDue to a missing authentication check, SAP NetWeaver Application Server for Java allows an unauthenticated attacker to attach to an open interface and make use of an open naming and directory API affecting users and services across systems.
SAP NetWeaver AS Java now properly checks authentication.
SAP Netweaver Application Server Java is part of the SAP NetWeaver Application Platform. It provides the complete infrastructure for deploying and running Java applications.
- The AS Java Home: SAP Netweaver Application Server Java wiki
- A dedicated SAP NetWeaver 7.40 Application Server for Java Security Guide exists.
The advisory is valid for
- 10.0 [CVE-2020-26829] Missing Authentication Check in SAP NetWeaver AS JAVA (P2P Cluster Communication)
- 10.0 [CVE-2020-6207] Missing Authentication Check in SAP Solution Manager (User-Experience Monitoring)
- 9.9 [CVE-2023-23857] Improper Access Control in SAP NetWeaver AS for Java
- 9.8 [CVE-2020-6198] Missing Authentication check in SAP Solution Manager (Diagnostics Agent)
- 9.4 [CVE-2023-0017] Improper access control in SAP NetWeaver AS for Java