Switch to standard view 
  Sybase logo

Urgent from Sybase: Possible security vulnerability in EAServer 6.3.1 and Earlier. This also affects Appeon, Replication Server Messaging Edition, and WorkSpace.

Summary: This document describes a situation where Sybase EAServer 6.3.1 and earlier versions exhibit a possible security vulnerability on certain OS platforms. Remote exploitation of a directory traversal vulnerability in Sybase EAServer could allow an attacker to read arbitrary files, this condition can result in information disclosure. This vulnerability is resolved by applying an EBF. Sybase recommends that customers update their EAServer installation as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website. This also affects those products that include EAServer; Appeon, Replication Server Messaging Edition, and WorkSpace.


This document contains the following sections:

  • Customer Alert
  • Recommendation

Customer Alert

A security vulnerability related to remote directory traversal has been identified in EAServer. Sybase is making this announcement proactively. This issues was reported to us by iDefense Labs, a VeriSign company. There have been no reported exploits of this vulnerability, and to date it has not been reported by a Sybase customer. Sybase, Inc. appreciates the efforts of iDefense Labs to continually strengthen software throughout the industry by monitoring and testing.

This is considered a vulnerability with medium to high severity and risk. Remote exploitation of a directory traversal vulnerability in Sybase EAServer could allow an attacker to read arbitrary files, this condition can result in information disclosure. This is applicable to EAServer version 6.x only.


Corrective Action

Upgrade to the latest EBFs for version 6.x, as detailed in the tables below.

Fixed Versions

Versions of EAServer from 6.3.1 ESD# 2, and versions of EAServer 6.2 ESD# 4, contain a fix to correct this Remote Directory Traversal Vulnerability issue. EAServer version 6.3.1 and above on HP-UX and IBM AIX contain the fix so no EBF is needed for these platforms, only the base version 6.3.1.


Sybase is tracking these issues under CR# 647420.

This CR is fixed in the following EBFs.

Table 1: EBFs for EAServer 6.3.1

Platform EAServer 6.3.1
EBF# (ESD# 2)
Windows (x86) 32-bit 19062
Sun Solaris (x86) 32-bit 19063
Linux (x86) 32-bit 19064
HP-UX (Itanium) 32-bit N/A*
IBM AIX (Power) 32-bit N/A*

* The base version 6.3.1 of EAServer on HP-UX and IBM AIX already contains the fix so no EBF is required.

Customers using Sybase EAServer should use the appropriate EBF for their platform from the list above. For customers that have an EAServer 6.x version prior to 6.3.1, first upgrade to EAServer version 6.3.1, then apply the corresponding EBF above.

Customers that have EAServer as part of another Sybase product such as Appeon, Replication Server Messaging Edition, or WorkSpace need to refer to the table below for details of which EAServer version they are using, and then obtain the appropriate EBF.

Table 2: EAServer version included in other products

Product Version EAServer Version
Appeon 6.5* 6.3.1
Appeon (Japanese) 6.2* 6.3.1
Replication Server Messaging Edition 15.2 6.2**
WorkSpace 2.0, 2.1, 2.1.2, 2.5 6.0.2 Developer Edition***

* For version of Appeon prior to 6.5, and Appeon (Japanese) prior to 6.2 first upgrade to Appeon 6.5 and 6.2 respectively then follow the instructions for those versions.

** Refer to Table 3 below for the appropriate EAServer 6.2 EBF numbers.

*** Upgrade first to EAServer 6.3.1 Developer Edition and then apply EAServer 6.3.1 ESD# 2 by using the EBF# for the specific platform in Table 1 above.

Table 3: EBFs for EAServer 6.2

Platform EAServer 6.2
EBF# (ESD# 4)
Windows (x86) 32-bit 19106
Sun Solaris (x86) 32-bit 19107
Linux (x86) 32-bit 19108
HP-UX (Itanium) 32-bit 19109
IBM AIX (Power) 32-bit 19110

NOTE: These EBFs are not cumulative and are only applicable to customers that have EAServer 6.2 installation with no prior application of other patches/EBFs.


EBFs are obtained from the Sybase EBFs and Maintenance site.


Follow the instructions in the EBF cover letter to install the EBF. The EAServer 6.3.1 update release can be obtained from the Sybase Product Download Center (SPDC) site.

If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.


Copyright © 2011 Sybase, Inc. All rights reserved.

Back to Top
© Copyright 2010, Sybase Inc.