I. Overview

A security company has recently released an official security notice about the missing authentication check (CVE-2020-6207) in SAP Solution Manager. Attackers can exploit this vulnerability to construct special requests, remotely execute code, and control the associated SAP system.

If you are an SAP Solution Manager user, check your service version and implement timely security hardening.

For more information about this vulnerability, visit the following websites:

https://wiki.scn.sap.com/wiki/pages/viewpage.action?spm=a2c4g.11174386.n2.3.e8be1051MzSaM0&pageId=540935305

https://zh-cn.tenable.com/blog/cve-2020-6207-proof-of-concept-missing-authentication-check-sap-solution-manager

II. Severity

Severity: important

(Severity: low, moderate, important, and critical)

III. Affected Products

Affected versions:

SAP Solution Manager 7.2 and earlier

Secure version:

SAP Solution Manager 7.3

IV. Vulnerability Handling

This vulnerability has been fixed in the latest official releases. If your version falls into the affected range, upgrade it to the latest secure version.

https://launchpad.support.sap.com/

HUAWEI CLOUD WAF can defend against these vulnerabilities. If you are a WAF user, set the basic web protection status to Block. For details, see Configuring Basic Web Protection Rules.

Note: Before fixing vulnerabilities, back up your files and conduct a thorough test.