General advisory to Adaptive Server Enterprise (ASE) and Open Client/Open Server (OCS) customers of a Kerberos vulnerability
The Massachusetts Institute of Technology (MIT) have raised an issue which may make a product using Kerberos vulnerable if ALL of the following items are true:
- The product is calling any of the GSS-API routines that internally allocate memory for a provided buffer pointer
- The product is freeing up the resources, allocated by such a GSS-API routine, in the case the routine returned failure
- The product did not initialize the provided buffer pointer that is pointing to this allocated memory, prior to calling the routine
If all of the above are true the product will free memory that was actually never allocated and the pointer may contain a random memory address.
ASE and OCS Customers are not vulnerable as we never perform ALL of the above steps togther.
Sybase ASE and OCS products use the GSS-API routine that allocates buffer memory internally, and do not free up incorrect memory when a GSS-API routine returns a failure. Since we do not free the resources on failure we do not meet criteria number 2. above and hence are not vulnerable to this issue.