Urgent from Sybase: Possible security vulnerability in EAServer 6.3.1 and Earlier. This also affects Appeon, Replication Server Messaging Edition, and WorkSpace.
Summary: This document describes a situation where Sybase EAServer 6.3.1 and earlier versions exhibit a possible security vulnerability on certain OS platforms. Remote exploitation of a directory traversal vulnerability in Sybase EAServer could allow an attacker to read arbitrary files, this condition can result in information disclosure. This vulnerability is resolved by applying an EBF. Sybase recommends that customers update their EAServer installation as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website. This also affects those products that include EAServer; Appeon, Replication Server Messaging Edition, and WorkSpace.
This document contains the following sections:
- Customer Alert
A security vulnerability related to remote directory traversal has been identified in EAServer. Sybase is making this announcement proactively. This issues was reported to us by iDefense Labs, a VeriSign company. There have been no reported exploits of this vulnerability, and to date it has not been reported by a Sybase customer. Sybase, Inc. appreciates the efforts of iDefense Labs to continually strengthen software throughout the industry by monitoring and testing.
This is considered a vulnerability with medium to high severity and risk. Remote exploitation of a directory traversal vulnerability in Sybase EAServer could allow an attacker to read arbitrary files, this condition can result in information disclosure. This is applicable to EAServer version 6.x only.
Upgrade to the latest EBFs for version 6.x, as detailed in the tables below.
Versions of EAServer from 6.3.1 ESD# 2, and versions of EAServer 6.2 ESD# 4, contain a fix to correct this Remote Directory Traversal Vulnerability issue. EAServer version 6.3.1 and above on HP-UX and IBM AIX contain the fix so no EBF is needed for these platforms, only the base version 6.3.1.
Sybase is tracking these issues under CR# 647420.
This CR is fixed in the following EBFs.
Table 1: EBFs for EAServer 6.3.1
|EBF# (ESD# 2)
|Windows (x86) 32-bit
|Sun Solaris (x86) 32-bit
|Linux (x86) 32-bit
|HP-UX (Itanium) 32-bit
|IBM AIX (Power) 32-bit
* The base version 6.3.1 of EAServer on HP-UX and IBM AIX already contains the fix so no EBF is required.
Customers using Sybase EAServer should use the appropriate EBF for their platform from the list above. For customers that have an EAServer 6.x version prior to 6.3.1, first upgrade to EAServer version 6.3.1, then apply the corresponding EBF above.
Customers that have EAServer as part of another Sybase product such as Appeon, Replication Server Messaging Edition, or WorkSpace need to refer to the table below for details of which EAServer version they are using, and then obtain the appropriate EBF.
Table 2: EAServer version included in other products
|Replication Server Messaging Edition
||2.0, 2.1, 2.1.2, 2.5
||6.0.2 Developer Edition***