Products packaged with OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable, which leads to this informational disclosure.
ASE 16 on any OS Platforms
ASE 15.7 on any OS Platforms
IQ 15.4 ESD4 on any OS Platform
IQ 16.0 SP02 on any OS Platform
IQ 16.0 SP03 on any OS Platform
Replication Server 15.7.1 on Any Platform
PowerDesigner 16.5 SP02 on any OS Platform
PowerDesigner 16.5 SP03 on any OS Platform
PowerAMC 16.5 SP02 on any OS Platform
SQL Anywhere 12.0.1 on any OS Platform
SQL Anywhere 16.0 on any OS Platform
SQL Anywhere OnDemand 1.0 on any OS Platform
Mobile Platform SMP and SDK 3.0 on Windows
Mobile Platform SMP and SDK 2.3 on Mac
Software Develper Kit (SDK) 15.7 on any OS Platform
Software Develper Kit (SDK) 16.0 on any OS Platform
Open Server 15.7 on any OS Platform
Open Server 16.0 on any OS Platform
SDK for SAP ASE 15.7 on any OS Platform
SDK for SAP ASE 16.0 on any OS Platform
ECDA (Enterprise Data Connect Access) 15.7 on any OS Platform
Deficiencies in releases of OpenSSL libraries:
The SSL, TLS and DTLS implementations in OpenSSL versions 1.0.1 through 1.0.1f (inclusive) do not securely handle Heartbeat Extension packets. This may allow remote attackers to obtain sensitive information that applications use for establishing secured communication with SSL.
SAP has issued fixes for the following products that use OpenSSL cryptographic libraries which have been reported as vulnerable to CVE-2014-0160. Install the fixed product versions most appropriate for your production environment. As an additional security measure to installing the patch in affected installations, it is recommended to:
Revoke compromised certificates and keys
Reissue and distribute new certificates and keys
Change compromised passwords
The fixed versions are obtained from the Sybase EBFs and Maintenance site:
Open Server 15.7 ESD#6, ESD #7, SP100, SP101, SP102, SP103, SP110, SP111, SP120, SP121, SP122, SP123, SP124, SP125
Open Server 16.0, 16.0 PL01
Open Server 15.7 SP126
Open Server 16.0 PL02
SDK for SAP ASE
SDK for SAP ASE 15.7 SP122, SP123, SP124, SP125
SDK for SAP ASE 16.0, 16.0 PL01
SDK for SAP ASE 15.7 SP126
SDK for SAP ASE 16.0 PL02
ECDA 15.7, 15.7 SP01
ECDA 15.7 SP02
Installations not using any of the above platform, feature and version combinations are safe from this vulnerability.
This page will be updated as more information becomes available.
Frequently Asked Questions
Q1. For the heartbleed exploit, must SSL in ASE be enabled? A1. Yes.
Q2. For the heartbleed exploit, must the version of ASE be one of those listed above? A2. Yes.
Q3. For the heartbleed exploit, is the ability to login to ASE necessary? A3. See CVSS vector for this vulnerability in the National Vulnerability Database: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160. From the CVSS vector in the above, we can see that authentication is not required to exploit this vulnerability.
Q4. If the SSL connectivity is within the infrastructure between the webserver and the database, will access to the internal network be required to exploit the heartbleed vulnerability? A4. This vulnerability can be exploited by anyone who can access the TLS/SSL port on which the server is listening for incoming connections.
Q5. What does it take to establish a database connection and hold it long enough to initiate a Heatbeat? Does any login restriction prevent this? A5. See the answer to Q3 above. Authentication is not required to exploit this vulnerability.
Q6. What is the ETA for the patch to be delivered to address this? A6. Fixed ASE versions will be posted on the SAP and Sybase websites as fixes become available. SAP security teams are working to make fixes available to customers in an expeditious manner.
Q7. Is there anything else SAP can tells about detecting the potential cases for the heartbleed exploit?
A7. For more information on the heartbleed vulnerability, please refer to the heartbleed website at: http://heartbleed.com/.
Information disclosure, OpenSSL vulnerability, Heartbleed bug, CVE-2014-0160
Last Revised: Jun 16, 2014 Product: Afaria, PowerAMC, Sybase IQ, SQL Anywhere, PowerDesigner, Mobile Device SDKs, Replication Server, Software Developer Kit, Adaptive Server Enterprise, EnterpriseConnect Data Access Technical Topics: Security, Troubleshooting
Business or Technical: Technical Content Id: 1099387 Infotype: Urgent Notice