Urgent from Sybase: Preliminary advisory on security vulnerability in RSA signature verification impacting several Sybase products
Summary: This document describes a situation where the implementation of RSA signature verification in SSL/TLS, or other application scenarios, may incorrectly verify forged signatures leading to security vulnerability.
This document contains the following sections:
Certain Sybase products may be vulnerable to an RSA signature verification implementation flaw that allows incorrect signatures (in X509 certificates) to be validated if the RSA public key exponent is 3. This may allow a number of different types of remote exploits based on forged certificates. For example, this may allow SSL/TLS clients to verify forged server side certificates to be valid or allow applications to verify data or code signed by forged certificates to be valid.
This issue affects multiple vendor implementations of RSA PKCS#1 v1.5 signature verification including JDK/JRE/JSSE and OpenSSL that are embedded within certain Sybase products.
Additional details on this issue are available from CERT Vulnerability VU#845620 at
and also at
More detailed information on Sybase products (using RSA signature verification) that may be affected by the vulnerabilities described above can be found in the document below.
Note: As information becomes available the following table will be updated. Please check for updates on a regular basis.
Details of affected products - Last Updated 23rd January 2007.
Sybase is currently working on providing final resolutions and product updates for this issue
Sybase strongly recommends that customers apply the product updates and follow product specific instructions when available
Should an EBF be required once it is available it can be obtained from the Sybase EBFs and Maintenance site.
Follow the instructions in the EBF cover letter to install any EBF.
If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.
Copyright © 2006 Sybase, Inc. All rights reserved.