Switch to standard view 
  Sybase logo
 
 
 



Urgent from Sybase: Security Issue in EAServer 5.2 and Earlier

Summary: EAServer 5.2 contains a security vulnerability that is resolved by applying an EBF. Sybase recommends that customers update their EAServer as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website. This vulnerability also affects versions of EAServer prior to version 5.2.

Contents

This document contains the following sections:

  • Customer Alert
  • Recommendation

Customer Alert

A security vulnerability relating to buffer overflow was identified in EAServer. Sybase is making this announcement proactively. This issue was reported to us by a company called SPI Dynamics Inc. There have been no reported exploits of this vulnerability, and to date it has not been reported as an issue by a Sybase customer. SPI Dynamics, SPI Labs' mission is to provide objective web application security research to the technology community. Sybase Inc. appreciates the efforts of SPI Dynamics to continually strengthen software throughout the industry by monitoring and testing.

This is considered a vulnerability with medium severity and risk. To exploit this attack, one must be authenticated to /WebConsole/. Users that already implement an appropriate security policy that avoids using a null password for the jagadmin user should be least vulnerable. Note that by default, the jagadmin password is set to blank for newly created servers. The EAServer documentation advises administrators to set a non-null jagadmin user password immediately after creation of such a new server.

Please note that SPI Dynamics Inc. has published their report of the security vulnerability. This can be found at the following web address.
http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm

Note: A further manifestation of this issue has been identified that is of high risk. Please read the related addendum.


The issue is resolved by applying the following EBFs to the correct platform and version.

EBF Numbers

Currently Supported Versions

EOL Versions

5.2

5.1

5.0

4.2.5

4.2.2

4.2

Windows

12671

12669

12616

12673

12748

12753

Linux

12684

**

12618

**

12750

**

Solaris

12672

12670

12617

12674

12749

12754

IBM AIX

*

12683

12620

**

12752

**

HP-UX PA RISC

12685

**

12619

**

12751

**

HP-UX Itanium

*

**

12677

**

**

**

Note:
End of Life version, not supported standalone, only supported as part of another product
* Fixed in base release, no EBF required
** Version and Platform combination does not exist


Customers who have EAServer as part of another Sybase product such as Real Time Data Services, Unwired Orchestrator, Enterprise Portal, etc. need to refer to the table below for details of which EAServer version they are using, and then obtain the appropriate EBF.

Product

Version

EAServer Version

Appeon

3.0

5.2

Appeon

2.8

5.0

Appeon

2.7

4.2.2

Biz Tracker

All

4.2

BPI Suite

All

4.2.2

Enterprise Portal

All

4.2.2

Real Time Data Services

All

4.2.2

Unwired Orchestrater

All

5.0

WSI Suite

All

4.2.2

For products from our Financial Fusion division customers are separately licensed for EAServer. The table below shows which versions of EAServer were originally certified with which products. For versions that have passed their End of Life date and have no EBF in the table above, customers will have to update their version of EAServer. If you require further assistance with this please contact your local Support Centre.

Product

Version

EAServer Version

Financial Fusion Server

4.x

4.0 *

Financial Fusion Server

1.1 & 2.0

3.6.1 *

Sybase Financial Server

All

3.6.1 *

CEBS, BPW

5.3.1

5.1

CEBS, SBBS, BPW, UOFX

4.5.x

4.0 *

Trade Force GlobalFIX

5.1.x

4.2.2

Trade Force GlobalFIX, SWIFT, Omega

5.0.x

4.1.3 *

Note:
* There is no EBF for these versions of EAServer. EAServer must first be updated before the appropriate EBF is applied.

Recommendation

Sybase strongly recommends that all customers undertake the following two steps:

  • Review jagadmin user passwords to ensure they are secure
  • Upgrade to the latest EBF's for each released version, as detailed in the table above

The software can be obtained from the Sybase EBFs and Maintenance site.

http://downloads.sybase.com/

Follow the instructions in the EBF coverletter to install the EBF.

If you require further assistance please contact your local support centre. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.

http://www.sybase.com/contactus/support



Back to Top
© Copyright 2010, Sybase Inc.