Urgent from Sybase: Security vulnerability ASE 15.0.2 and later. This also affects Replication Server, OpenServer/SDK, IQ, SQL Anywhere, EA Server, RAP, and Event Stream Processor.
Summary: This notification describes a situation where ASE 15.0.2 and later versions exhibit possible security vulnerabilities as described below. These vulnerabilities are resolved by applying an EBF. Sybase recommends that customers update their installations as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website. This also affects those products that include ASE, Replication Server, Open Server/SDK, IQ, SQL Anywhere, EAServer, RAP, and Event Stream Processor.
Contents
This document contains the following sections:
- Customer Alert
- Recommendation
Customer Alert
Sybase is making this announcement proactively. This issue was reported to us by Application Security Inc. There have been no reported exploits of this vulnerability, and to date it has not been reported by a Sybase customer. Sybase, Inc. appreciates the efforts of Application Security Inc. to continually strengthen software throughout the industry by monitoring and testing. Specific credit for identifying this issue goes to Martin Rakhmanov.
Recommendations
Corrective Action
Update to the latest EBFs for applicable versions as detailed in tables below.
Tracking
Sybase is tracking this issue under the following CR# :
- CR 694511 - Introduce randomization in TDS login protocol (CVSS Rating: 5.5)
Fixed Versions
ASE 15.7 ESD#1 on all platforms contains fixes for the issue noted above.
Note that for ASE 15.7, the fix is also included in ASE 15.7 ESD#1 N-Off, ASE 15.7 ESD#2 Refresh 1 and ASE 15.7 ESD#1 Refresh 2.
This CR is fixed in the following EBFs according to the affected product.
Products & Versions
| Affected Product Version |
Fixed Version |
Notes |
| Adaptive Server Enterprise (ASE) 15.0.2 |
15.0.3 ESD#4.1 |
EBF can be used for localized versions |
| Adaptive Server Enterprise (ASE) 15.5 |
15.5 ESD#5.1 |
EBF can be used for localized versions |
| Adaptive Server Enterprise (ASE) 15.7 |
15.7 ESD#1 Refresh 2 |
EBF can be used for localized versions |
| Replication Server 15.1 |
15.2 ESD#3 ONE-Off |
EBF can be used for localized versions |
| Replication Server 15.2 |
15.2 ESD#3 ONE-Off |
EBF can be used for localized versions |
| Replication Server 15.5 |
15.6 ESD#3 |
|
| Replication Server 15.6 |
15.6 ESD#3 |
|
| Replication Server 15.7 |
15.7.1 |
EBF can be used for localized versions |
| RAP – The Trading Edition |
R4.0 |
Applicable ASE ESD will be needed only if using Monitor Server or Backup Server |
| RAP – The Trading Edition |
R4.1 |
Applicable ASE ESD will be needed only if using Monitor Server or Backup Server |
| EAServer 6.x |
6.3.1 ESD#3 |
|
| Open Server 15.7 |
15.7 ESD#1 |
Only needed if using CT-Library |
| Open Server 15.5 |
15.5 ESD#12 |
Only needed if using CT-Library |
| SDK 15.7 |
15.7 ESD#1 |
Only needed if using CT-Library, ESQL/C, ESQL/Cobol, XA, ASE-Python, PHP, PERL modules, jConnect, ODBC, OLE DB or ADO.NET |
| SDK 15.5 |
15.5 ESD#12 |
Only needed if using CT-Library, ESQL/C, ESQL/Cobol, XA, jConnect, ODBC, OLE DB or ADO.NET |
| SQL Anywhere 12.0.1 |
12.01 |
Fixed in builds 3574, 3577, 3723, 3726, 3740 |
| SQL Anywhere 11.0.1 |
11.01 |
Fixed in builds 2744, 2745, 2753 |
| Event Stream Processor (ESP) 5.0 |
5.0 ESD #2 |
|
| Sybase IQ 15.4 |
15.4 ESD #1 |
|
| Sybase IQ 15.3 |
15.4 ESD #1 |
|
| Sybase IQ 15.2 |
15.4 ESD #1 |
|
| Sybase IQ 15.1 |
15.4 ESD #1 |
|
Downloads
EBFs are obtained from the Sybase EBFs and Maintenance site.
http://downloads.sybase.com/
Follow the instructions in the EBF cover letter to install the EBF.
If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.
http://www.sybase.com/contactus/support
Copyright © 2012 Sybase, Inc. All rights reserved.
