Urgent from Sybase: Security Issue in EAServer 5.2 and Earlier
Summary: EAServer 5.2 contains a security vulnerability that is resolved by applying an EBF. Sybase recommends that customers update their EAServer as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website. This vulnerability also affects versions of EAServer prior to version 5.2.
Contents
This document contains the following sections:
- Customer Alert
- Recommendation
Customer Alert
A security vulnerability relating to buffer overflow was identified in EAServer. Sybase is making this announcement proactively. This issue was reported to us by a company called SPI Dynamics Inc. There have been no reported exploits of this vulnerability, and to date it has not been reported as an issue by a Sybase customer. SPI Dynamics, SPI Labs' mission is to provide objective web application security research to the technology community. Sybase Inc. appreciates the efforts of SPI Dynamics to continually strengthen software throughout the industry by monitoring and testing.
This is considered a vulnerability with medium severity and risk. To exploit this attack, one must be authenticated to /WebConsole/. Users that already implement an appropriate security policy that avoids using a null password for the jagadmin user should be least vulnerable. Note that by default, the jagadmin password is set to blank for newly created servers. The EAServer documentation advises administrators to set a non-null jagadmin user password immediately after creation of such a new server.
Please note that SPI Dynamics Inc. has published their report of the security vulnerability. This can be found at the following web address.
http://www.spidynamics.com/spilabs/advisories/sybaseEAserverOverflow.htm
Note: A further manifestation of this issue has been identified that is of high risk. Please read the related addendum.
The issue is resolved by applying the following EBFs to the correct platform and version.
| EBF Numbers |
Currently Supported Versions |
EOL Versions § |
||||
|
5.2 |
5.1 |
5.0 |
4.2.5 |
4.2.2 |
4.2 |
|
|
Windows |
12671 |
12669 |
12616 |
12673 |
12748 |
12753 |
|
Linux |
12684 |
** |
12618 |
** |
12750 |
** |
|
Solaris |
12672 |
12670 |
12617 |
12674 |
12749 |
12754 |
|
IBM AIX |
* |
12683 |
12620 |
** |
12752 |
** |
|
HP-UX PA RISC |
12685 |
** |
12619 |
** |
12751 |
** |
|
HP-UX Itanium |
* |
** |
12677 |
** |
** |
** |
Note:
§ End of Life version, not supported standalone, only supported as part of another product
* Fixed in base release, no EBF required
** Version and Platform combination does not exist
Customers who have EAServer as part of another Sybase product such as Real Time Data Services, Unwired Orchestrator, Enterprise Portal, etc. need to refer to the table below for details of which EAServer version they are using, and then obtain the appropriate EBF.
|
Product |
Version |
EAServer Version |
|
Appeon |
3.0 |
5.2 |
|
Appeon |
2.8 |
5.0 |
|
Appeon |
2.7 |
4.2.2 |
|
Biz Tracker |
All |
4.2 |
|
BPI Suite |
All |
4.2.2 |
|
Enterprise Portal |
All |
4.2.2 |
|
Real Time Data Services |
All |
4.2.2 |
|
Unwired Orchestrater |
All |
5.0 |
|
WSI Suite |
All |
4.2.2 |
For products from our Financial Fusion division customers are separately licensed for EAServer. The table below shows which versions of EAServer were originally certified with which products. For versions that have passed their End of Life date and have no EBF in the table above, customers will have to update their version of EAServer. If you require further assistance with this please contact your local Support Centre.
|
Product |
Version |
EAServer Version |
|
Financial Fusion Server |
4.x |
4.0 * |
|
Financial Fusion Server |
1.1 & 2.0 |
3.6.1 * |
|
Sybase Financial Server |
All |
3.6.1 * |
|
CEBS, BPW |
5.3.1 |
5.1 |
|
CEBS, SBBS, BPW, UOFX |
4.5.x |
4.0 * |
|
Trade Force GlobalFIX |
5.1.x |
4.2.2 |
|
Trade Force GlobalFIX, SWIFT, Omega |
5.0.x |
4.1.3 * |
Note:
* There is no EBF for these versions of EAServer. EAServer must first be updated before the appropriate EBF is applied.
Recommendation
Sybase strongly recommends that all customers undertake the following two steps:
- Review jagadmin user passwords to ensure they are secure
- Upgrade to the latest EBF's for each released version, as detailed in the table above
The software can be obtained from the Sybase EBFs and Maintenance site.
Follow the instructions in the EBF coverletter to install the EBF.
If you require further assistance please contact your local support centre. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.