Urgent from SAP & Sybase: Possible security vulnerabilities in EAServer 6.3.1 and 6.2
Summary: This document describes three situations where SAP EAServer 6.3.1 and 6.2 versions exhibit possible security vulnerabilities. The first vulnerability could allow an attacker to access all deployed applications in SAP EAServer; the second could allow an attacker to list all directories and display arbitrary files on the affected system; the third could allow an attacker to retrieve the credentials from configuration files and run OS commands using the WSH service. These vulnerabilities are resolved by applying an EBF. SAP recommends that customers update their EAServer installation as soon as possible. The EBFs are available from the EBFs Download Area of the SAP website.
This document contains the following sections:
- Customer Alert
These three security vulnerabilities have been identified in SAP EAServer. SAP is making this announcement proactively. These issues were reported to us by an external security researcher. There have been no reported exploits of this vulnerability, and to date it has not been reported by a SAP customer. SAP, Inc. appreciates the efforts of the external security researcher to continually strengthen software throughout the industry by monitoring and testing.
These are considered vulnerabilities with medium to high severity and risk. Accessing all deployed applications vulnerability could allow an attacker to access all deployed applications in SAP EAServer. This condition can result in accessing and running other applications in SAP EAServer. This is applicable to EAServer versions 6.3.1 and 6.2. Listing all directories and files vulnerability in SAP EAServer could allow an attacker to read arbitrary files on the affected system. This condition can result in information disclosure. This is applicable to EAServer version 6.3.1 only. The WSH service vulnerability in SAP EAServer could allow an attacker to retrieve the credentials from configuration files and run OS commands. This condition can result in running an illegal OS command. This is applicable to EAServer version 6.3.1 only.
Update to the latest EBFs for either version 6.3.1 and 6.2, as detailed in the table below.
Versions of EAServer from 6.3.1 SP01 PL07 contain the fixes to correct these three Vulnerabilities.
Versions of EAServer from 6.2 SP01 PL06 contain the fixes to correct these three Vulnerabilities.
SAP is tracking these issues under Security Notes 1852064, 1858107, 1851914 and CR#735939.
These CRs are fixed in the following EBFs.
|Windows (x86) 32-bit
|Sun Solaris (x86) 32-bit
|Linux (x86) 32-bit
|HP-UX (Itanium) 32-bit
|IBM AIX (Power) 32-bit
Customers using SAP EAServer should use the appropriate EBF for their platform from the list above. For customers that have an EAServer 6.x version prior to 6.3.1, first upgrade to EAServer version 6.3.1 ESD#5 and then apply the corresponding EBF above.
Irrespective of if you have already been migrated to SAP Support or not you can still obtain the EBFs above from the Sybase EBFs and Maintenance site. If you have already been migrated to SAP support you can also obtain them from the SAP Service Marketplace. This will only work if you have already received your S-User credentials and are able to log in.
Sybase EBF Download Site - http://downloads.sybase.com/
Sybase Portal on SAP Service Marketplace - http://service.sap.com/sybase/support
Follow the instructions in the EBF cover letter to install the EBF.
If you have not yet been migrated to SAP Support and you require further assistance please contact your local Sybase Support Center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.
If you have already been migrated to SAP Support please contact the Customer Interaction Centre. Contact details are accessed via the Contact Us box located on the right hand side of the screen within the Sybase Portal on SAP Service Marketplace.
Copyright © 2013 Sybase, Inc. All rights reserved.