Urgent from Sybase: Security Issue in EAServer 5.2 and Earlier
Summary: EAServer 5.2 contains a security vulnerability that is resolved by applying an EBF. Sybase recommends that customers update their EAServer as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website. This vulnerability also affects versions of EAServer prior to version 5.2.
This document contains the following sections:
A security vulnerability relating to buffer overflow was identified in EAServer. Sybase is making this announcement proactively. This issue was reported to us by a company called SPI Dynamics Inc. There have been no reported exploits of this vulnerability, and to date it has not been reported as an issue by a Sybase customer. SPI Dynamics, SPI Labs' mission is to provide objective web application security research to the technology community. Sybase Inc. appreciates the efforts of SPI Dynamics to continually strengthen software throughout the industry by monitoring and testing.
This is considered a vulnerability with medium severity and risk. To exploit this attack, one must be authenticated to /WebConsole/. Users that already implement an appropriate security policy that avoids using a null password for the jagadmin user should be least vulnerable. Note that by default, the jagadmin password is set to blank for newly created servers. The EAServer documentation advises administrators to set a non-null jagadmin user password immediately after creation of such a new server.
Please note that SPI Dynamics Inc. has published their report of the security vulnerability. This can be found at the following web address.
Note: A further manifestation of this issue has been identified that is of high risk. Please read the related addendum.
The issue is resolved by applying the following EBFs to the correct platform and version.
For products from our Financial Fusion division customers are separately licensed for EAServer. The table below shows which versions of EAServer were originally certified with which products. For versions that have passed their End of Life date and have no EBF in the table above, customers will have to update their version of EAServer. If you require further assistance with this please contact your local Support Centre.
Sybase strongly recommends that all customers undertake the following two steps:
The software can be obtained from the Sybase EBFs and Maintenance site.
Follow the instructions in the EBF coverletter to install the EBF.
If you require further assistance please contact your local support centre. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.