General advisory to Adaptive Server Enterprise (ASE) and Open Client/Open Server (OCS) customers of a Kerberos vulnerability
The Massachusetts Institute of Technology (MIT) have raised an issue which may make a product using Kerberos vulnerable if ALL of the following items are true:
If all of the above are true the product will free memory that was actually never allocated and the pointer may contain a random memory address.
ASE and OCS Customers are not vulnerable as we never perform ALL of the above steps togther.
Sybase ASE and OCS products use the GSS-API routine that allocates buffer memory internally, and do not free up incorrect memory when a GSS-API routine returns a failure. Since we do not free the resources on failure we do not meet criteria number 2. above and hence are not vulnerable to this issue.