Sybase Business Intelligence Solutions - Database Management, Data Warehousing Software, Mobile Enterprise Applications and Messaging
Sybase Brand Color Bar
delete

Search for    in all of Sybase.com
view all search results right arrow
  blank
 
 
 
 
 
 
 
 
 
 
Support > Technical Documents > Document Types > Urgent Notice > Security Issue in EAServer 5.2 and Earlier.  
RSS Feed
 
 
 

Urgent from Sybase: Security Issue in EAServer 5.2 and Earlier

Summary: EAServer 5.2 contains a security vulnerability that is resolved by applying an EBF. Sybase recommends that customers update their EAServer as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website. This vulnerability also affects versions of EAServer prior to version 5.2.

Contents

This document contains the following sections:

  • Customer Alert
  • Recommendation

Customer Alert

A security vulnerability relating to buffer overflow was identified in EAServer. Sybase is making this announcement proactively. This issue was reported to us by a company called SPI Dynamics Inc. There have been no reported exploits of this vulnerability, and to date it has not been reported as an issue by a Sybase customer. SPI Dynamics, SPI Labs' mission is to provide objective web application security research to the technology community. Sybase Inc. appreciates the efforts of SPI Dynamics to continually strengthen software throughout the industry by monitoring and testing.

This is considered a vulnerability with medium severity and risk. To exploit this attack, one must be authenticated to /WebConsole/. Users that already implement an appropriate security policy that avoids using a null password for the jagadmin user should be least vulnerable. Note that by default, the jagadmin password is set to blank for newly created servers. The EAServer documentation advises administrators to set a non-null jagadmin user password immediately after creation of such a new server.

Please note that SPI Dynamics Inc. has published their report of the security vulnerability. This can be found at the following web address.
http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm

Note: A further manifestation of this issue has been identified that is of high risk. Please read the related addendum.


The issue is resolved by applying the following EBFs to the correct platform and version.

EBF Numbers

Currently Supported Versions

EOL Versions §

5.2

5.1

5.0

4.2.5

4.2.2

4.2

Windows

12671

12669

12616

12673

12748

12753

Linux

12684

**

12618

**

12750

**

Solaris

12672

12670

12617

12674

12749

12754

IBM AIX

*

12683

12620

**

12752

**

HP-UX PA RISC

12685

**

12619

**

12751

**

HP-UX Itanium

*

**

12677

**

**

**

Note:
§ End of Life version, not supported standalone, only supported as part of another product
* Fixed in base release, no EBF required
** Version and Platform combination does not exist


Customers who have EAServer as part of another Sybase product such as Real Time Data Services, Unwired Orchestrator, Enterprise Portal, etc. need to refer to the table below for details of which EAServer version they are using, and then obtain the appropriate EBF.

Product

Version

EAServer Version

Appeon

3.0

5.2

Appeon

2.8

5.0

Appeon

2.7

4.2.2

Biz Tracker

All

4.2

BPI Suite

All

4.2.2

Enterprise Portal

All

4.2.2

Real Time Data Services

All

4.2.2

Unwired Orchestrater

All

5.0

WSI Suite

All

4.2.2

For products from our Financial Fusion division customers are separately licensed for EAServer. The table below shows which versions of EAServer were originally certified with which products. For versions that have passed their End of Life date and have no EBF in the table above, customers will have to update their version of EAServer. If you require further assistance with this please contact your local Support Centre.

Product

Version

EAServer Version

Financial Fusion Server

4.x

4.0 *

Financial Fusion Server

1.1 & 2.0

3.6.1 *

Sybase Financial Server

All

3.6.1 *

CEBS, BPW

5.3.1

5.1

CEBS, SBBS, BPW, UOFX

4.5.x

4.0 *

Trade Force GlobalFIX

5.1.x

4.2.2

Trade Force GlobalFIX, SWIFT, Omega

5.0.x

4.1.3 *

Note:
* There is no EBF for these versions of EAServer. EAServer must first be updated before the appropriate EBF is applied.

Recommendation

Sybase strongly recommends that all customers undertake the following two steps:

  • Review jagadmin user passwords to ensure they are secure
  • Upgrade to the latest EBF's for each released version, as detailed in the table above

The software can be obtained from the Sybase EBFs and Maintenance site.

http://downloads.sybase.com/

Follow the instructions in the EBF coverletter to install the EBF.

If you require further assistance please contact your local support centre. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.

http://www.sybase.com/contactus/support


 

Related Links

DOCUMENT ATTRIBUTES
Last Revised: Jul 11, 2005
Product: EAServer, BizTracker, TradeForce, Enterprise Portal, TradeForce Solution, Unwired Orchestrator, Appeon for PowerBuilder, Financial Fusion Server, Real Time Data Services, BPI Suite for Healthcare, Web Services Integrator Suite
Technical Topics: Security, Troubleshooting
  
Business or Technical: Technical
Content Id: 1036742
Infotype: Urgent Notice
 
 
 

© Copyright 2014, Sybase Inc. - v 7.6 Home / Contact Us / Help / Jobs / Legal / Privacy / Code of Ethics