Compliance Briefing — March 10, 2020

Executive briefing: On 10 March 2020, SAP released its March Security Patch Day updates with 18 Security Notes and updates. The cycle included a HotNews note for the NetWeaver AS Java LM Configuration Wizard (CVE-2020-6207) enabling unauthenticated remote code execution, plus critical updates for SAP Business Client and Information Disclosure fixes in NetWeaver AS ABAP.

Why it matters: SAP classifies HotNews notes as the highest priority. Unpatched LM Configuration Wizard components can be exploited remotely to execute arbitrary code and alter system configurations, directly impacting financial and operational data integrity.

• Prioritize HotNews: Apply Note 2890213 for CVE-2020-6207 on NetWeaver AS Java systems and validate LM Configuration Wizard is disabled or restricted where not required.
• Transport management: Import updated Security Notes through controlled transports, documenting system availability windows and post-implementation verification steps.
• Monitoring: Enable SAP Solution Manager or third-party monitoring for unauthorized configuration changes and RFC calls associated with LM Configuration Wizard components.
• Access controls: Review administrative roles and enforce least privilege on accounts capable of deploying or modifying Java stacks.