Sybase Business Intelligence Solutions - Database Management, Data Warehousing Software, Mobile Enterprise Applications and Messaging
Sybase Brand Color Bar
delete

Search for    in all of Sybase.com
view all search results right arrow
  blank
 
 
 
 
 
 
 
 
 
 
Support > Technical Documents > Document Types > Technote > General advisory to Adaptive Server Enterprise (AS...  
RSS Feed
 
 
 

General advisory to Adaptive Server Enterprise (ASE) and Open Client/Open Server (OCS) customers of a Kerberos vulnerability

Problem Statement:

The Massachusetts Institute of Technology (MIT) have raised an issue which may make a product using Kerberos vulnerable if ALL of the following items are true:

  1. The product is calling any of the GSS-API routines that internally allocate memory for a provided buffer pointer
    AND
  2. The product is freeing up the resources, allocated by such a GSS-API routine, in the case the routine returned failure
    AND
  3. The product did not initialize the provided buffer pointer that is pointing to this allocated memory, prior to calling the routine

If all of the above are true the product will free memory that was actually never allocated and the pointer may contain a random memory address.

Our Products:

ASE and OCS Customers are not vulnerable as we never perform ALL of the above steps togther.

Details:

Sybase ASE and OCS products use the GSS-API routine that allocates buffer memory internally, and do not free up incorrect memory when a GSS-API routine returns a failure. Since we do not free the resources on failure we do not meet criteria number 2. above and hence are not vulnerable to this issue.

 
 
 

© Copyright 2014, Sybase Inc. - v 7.6 Home / Contact Us / Help / Jobs / Legal / Privacy / Code of Ethics