Switch to standard view 
  Sybase logo
 
 
 



Urgent from Sybase: Possible security vulnerabilities in EAServer 6.3 and earlier. This also affects Appeon, Replication Server Messaging Edition, and WorkSpace.

Summary: This document describes two situations where Sybase EAServer 6.3 or earlier versions exhibit possible security vulnerabilities. Remote exploitation of a design vulnerability in Sybase EAServer could allow an attacker to install arbitrary web services, this condition can result in arbitrary code execution. Remote exploitation of a directory traversal vulnerability in Sybase EAServer could allow an attacker to read arbitrary files, this condition can result in information disclosure. These vulnerabilities are resolved by applying an EBF. Sybase recommends that customers update their EAServer installation as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website. This also affects those products that include EAServer: Appeon, Replication Server Messaging Edition, and WorkSpace.


Contents

This document contains the following sections:

  • Customer Alert
  • Recommendation

Customer Alert

Security vulnerabilities related to remote webservice installation and directory traversal have been identified in EAServer. Sybase is making this announcement proactively. These issues were reported to us by iDefense Labs, a VeriSign company. There have been no reported exploits of this vulnerability, and to date it has not been reported by a Sybase customer. Sybase, Inc. appreciates the efforts of iDefense Labs to continually strengthen software throughout the industry by monitoring and testing.

These are considered vulnerabilities with medium to high severity and risk. Remote exploitation of a design vulnerability in Sybase EAServer could allow an attacker to install arbitrary web services, this condition can result in arbitrary code execution allowing attacker to gain control over the affected machine. This is applicable to EAServer versions 6.x and 5.x. Remote exploitation of a directory traversal vulnerability in Sybase EAServer could allow an attacker to read arbitrary files, this condition can result in information disclosure. This is applicable to EAServer version 6.x only.

Recommendations

Corrective Actions for EAServer Web Service Remote Installation

Upgrade to the latest EBFs for either version 6.x or 5.x, as detailed in the table below.

Corrective Actions for EAServer Remote Directory Traversal

Upgrade to the latest EBFs for version 6.x, as detailed in the table below.

Fixed Versions

Versions of EAServer from 6.3 ESD#2, and 6.3.1, will contain the fixes to correct the Web Service Remote Installation and Remote Directory Traversal Vulnerability issues..

Tracking

Sybase is tracking these issues under CR# 640479, 641035, 641644.

These CRs are fixed in the following EBFs.

Table 1: EBFs for EAServer 6.3 and EAServer 5.x

Platform EAServer 6.3 EAServer 5.x
EBF# (ESD# 2) EBF#
Windows (x86) 32-bit 18288 18328
Sun Solaris (x86) 32-bit 18289 18329
Linux (x86) 32-bit 18290 18330
HP-UX PA-RISC 32-bit N/A 18331
HP-UX (Itanium) 32-bit 18291 18339
IBM AIX (Power) 32-bit 18292 18332

Customers using Sybase EAServer should use the appropriate EBF for their platform from the list above. For customers that have an EAServer 6.x version prior to 6.3 on Windows, Solaris and Linux platforms, upgrade to EAServer version 6.3.1. For customers that have an EAServer 6.x version prior to 6.3 on other platforms, first upgrade to EAServer version 6.3 and then apply the corresponding EBF above.

Customers using Sybase EAServer Developer edition should upgrade to EAServer 6.3 and then apply the corresponding EBF above.

Customers that have EAServer as part of another Sybase product such as Appeon, Replication Server Messaging Edition, or WorkSpace need to refer to the table below for details of which EAServer version they are using, and then obtain the appropriate EBF.

Table 2: EAServer version included in other products

Product Version EAServer Version
Appeon 6.x 6.2*
Replication Server Messaging Edition 15.2 6.2*
WorkSpace 2.0, 2.1, 2.1.2, 2.5 6.0.2** Developer Edition

NOTES:

* Customers that applied no patches or EBFs on top of EAServer 6.2 embedded with Appeon or RSME, need to follow Table 3 below to apply the EBF. Customers that applied patches/EBF on top of EAServer 6.2, need to upgrade first to EAServer 6.3 and then apply EAServer 6.3 ESD#2 by using the EBF# for the specific platform in Table 1 above; for those on Windows, Solaris, and Linux platforms, customers may directly upgrade to EAServer 6.3.1.

Table 3: EBFs for EAServer 6.2***

Platform EAServer 6.2
EBF# (ESD# 3)
Windows (x86) 32-bit 18386
Sun Solaris (x86) 32-bit 18387
Linux (x86) 32-bit 18388
HP-UX (Itanium) 32-bit 18389
IBM AIX (Power) 32-bit 18390

** Upgrade first to EAServer 6.3 Developer Edition and then apply EAServer 6.3 ESD# 2 by using the EBF# for the specific platform in the Table 1 above.

*** These EBFs are not cumulative and are only applicable to customers that have EAServer 6.2 installation with no prior application of other patches/EBFs.

Downloads

EBFs are obtained from the Sybase EBFs and Maintenance site.

http://downloads.sybase.com/

Follow the instructions in the EBF cover letter to install the EBF. EAServer 6.3 and EAServer 6.3.1 update releases can be obtained from the Sybase Product Download Center (SPDC) site.

EAServer Developer Edition (latest version) can be obtained from the Sybase eShop site.

http://eshop.sybase.com/eshop/buy?id=22550


If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.

http://www.sybase.com/contactus/support


Copyright © 2011 Sybase, Inc. All rights reserved.



Back to Top
© Copyright 2010, Sybase Inc.