Sybase Business Intelligence Solutions - Database Management, Data Warehousing Software, Mobile Enterprise Applications and Messaging
Sybase Brand Color Bar
delete

Search for    in all of Sybase.com
view all search results right arrow
  blank
 
 
 
 
 
 
 
 
 
 

 
 
CLICK TO EXPAND NAVIGATION
CLICK TO EXPAND NAVIGATION
 
 
 
 
Support > Technical Documents > Document Types > Urgent Notice > Security vulnerability in EAServer.  
RSS Feed
 
 
 

Urgent from SAP & Sybase: Possible security vulnerabilities in EAServer 6.3.1 and 6.2

Summary: This document describes three situations where SAP EAServer 6.3.1 and 6.2 versions exhibit possible security vulnerabilities. The first vulnerability could allow an attacker to access all deployed applications in SAP EAServer; the second could allow an attacker to list all directories and display arbitrary files on the affected system; the third could allow an attacker to retrieve the credentials from configuration files and run OS commands using the WSH service. These vulnerabilities are resolved by applying an EBF. SAP recommends that customers update their EAServer installation as soon as possible. The EBFs are available from the EBFs Download Area of the SAP website.


Contents

This document contains the following sections:

  • Customer Alert
  • Recommendation

Customer Alert

These three security vulnerabilities have been identified in SAP EAServer. SAP is making this announcement proactively. These issues were reported to us by an external security researcher. There have been no reported exploits of this vulnerability, and to date it has not been reported by a SAP customer. SAP, Inc. appreciates the efforts of the external security researcher to continually strengthen software throughout the industry by monitoring and testing.

These are considered vulnerabilities with medium to high severity and risk. Accessing all deployed applications vulnerability could allow an attacker to access all deployed applications in SAP EAServer. This condition can result in accessing and running other applications in SAP EAServer. This is applicable to EAServer versions 6.3.1 and 6.2. Listing all directories and files vulnerability in SAP EAServer could allow an attacker to read arbitrary files on the affected system. This condition can result in information disclosure. This is applicable to EAServer version 6.3.1 only. The WSH service vulnerability in SAP EAServer could allow an attacker to retrieve the credentials from configuration files and run OS commands. This condition can result in running an illegal OS command. This is applicable to EAServer version 6.3.1 only.

Recommendations

Corrective Action

Update to the latest EBFs for either version 6.3.1 and 6.2, as detailed in the table below.

Fixed Versions

Versions of EAServer from 6.3.1 SP01 PL07 contain the fixes to correct these three Vulnerabilities.

Versions of EAServer from 6.2 SP01 PL06 contain the fixes to correct these three Vulnerabilities.

Tracking

SAP is tracking these issues under Security Notes 1852064, 1858107, 1851914 and CR#735939.

These CRs are fixed in the following EBFs.

Platform 6.3.1 EBF# 6.2 EBF#
Windows (x86) 32-bit 21178 21183
Sun Solaris (x86) 32-bit 21179 21184
Linux (x86) 32-bit 21180 21185
HP-UX (Itanium) 32-bit 21181 21186
IBM AIX (Power) 32-bit 21182 21187

Customers using SAP EAServer should use the appropriate EBF for their platform from the list above. For customers that have an EAServer 6.x version prior to 6.3.1, first upgrade to EAServer version 6.3.1 ESD#5 and then apply the corresponding EBF above.

Downloads

Irrespective of if you have already been migrated to SAP Support or not you can still obtain the EBFs above from the Sybase EBFs and Maintenance site. If you have already been migrated to SAP support you can also obtain them from the SAP Service Marketplace. This will only work if you have already received your S-User credentials and are able to log in.

Sybase EBF Download Site - http://downloads.sybase.com/

Sybase Portal on SAP Service Marketplace - http://service.sap.com/sybase/support

Follow the instructions in the EBF cover letter to install the EBF.


If you have not yet been migrated to SAP Support and you require further assistance please contact your local Sybase Support Center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.

http://www.sybase.com/contactus/support

If you have already been migrated to SAP Support please contact the Customer Interaction Centre. Contact details are accessed via the Contact Us box located on the right hand side of the screen within the Sybase Portal on SAP Service Marketplace.

http://service.sap.com/sybase/support


Copyright © 2013 Sybase, Inc. All rights reserved.


 

DOCUMENT ATTRIBUTES
Last Revised: Jun 17, 2013
Product: EAServer
Business or Technical: Technical
  
Content Id: 1099353
Infotype: Urgent Notice
 
 
 

 
© Copyright 2014, Sybase Inc. - v 7.6 Home / Contact Us / Help / Jobs / Legal / Privacy / Code of Ethics