Sybase Business Intelligence Solutions - Database Management, Data Warehousing Software, Mobile Enterprise Applications and Messaging
Sybase Brand Color Bar
delete

Search for    in all of Sybase.com
view all search results right arrow
  blank
 
 
 
 
 
 
 
 
 
 
Support > Technical Documents > Document Types > Urgent Notice > Preliminary advisory on security vulnerability in ...  
RSS Feed
 
 
 

Urgent from Sybase: Preliminary advisory on security vulnerability in RSA signature verification impacting several Sybase products

Summary: This document describes a situation where the implementation of RSA signature verification in SSL/TLS, or other application scenarios, may incorrectly verify forged signatures leading to security vulnerability.


Contents

This document contains the following sections:

  • Customer Alert
  • Recommendation

Customer Alert

Certain Sybase products may be vulnerable to an RSA signature verification implementation flaw that allows incorrect signatures (in X509 certificates) to be validated if the RSA public key exponent is 3. This may allow a number of different types of remote exploits based on forged certificates. For example, this may allow SSL/TLS clients to verify forged server side certificates to be valid or allow applications to verify data or code signed by forged certificates to be valid.

This issue affects multiple vendor implementations of RSA PKCS#1 v1.5 signature verification including JDK/JRE/JSSE and OpenSSL that are embedded within certain Sybase products.

Additional details on this issue are available from CERT Vulnerability VU#845620 at

http://www.kb.cert.org/vuls/id/845620

and also at

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
http://www.openssl.org/news/secadv_20060905.txt
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1&searchclaus

More detailed information on Sybase products (using RSA signature verification) that may be affected by the vulnerabilities described above can be found in the document below.

Note: As information becomes available the following table will be updated. Please check for updates on a regular basis.

Details of affected products - Last Updated 23rd January 2007.


Recommendation

Sybase is currently working on providing final resolutions and product updates for this issue

Sybase strongly recommends that customers apply the product updates and follow product specific instructions when available

Should an EBF be required once it is available it can be obtained from the Sybase EBFs and Maintenance site.

http://downloads.sybase.com/

Follow the instructions in the EBF cover letter to install any EBF.


If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.

http://www.sybase.com/contactus/support



Copyright © 2006 Sybase, Inc. All rights reserved.


 

DOCUMENT ATTRIBUTES
Last Revised: Feb 02, 2007
Product: Not Product Specific
Technical Topics: Security
  
Business or Technical: Technical
Content Id: 1047991
Infotype: Urgent Notice
 
 
 

© Copyright 2014, Sybase Inc. - v 7.6 Home / Contact Us / Help / Jobs / Legal / Privacy / Code of Ethics