Switch to standard view 
  Sybase logo
 
 
 



Urgent from Sybase: Security vulnerability ASE 15.0.2 and later. This also affects Replication Server, OpenServer/SDK, IQ, SQL Anywhere, EA Server, RAP, and Event Stream Processor.

Summary: This notification describes a situation where ASE 15.0.2 and later versions exhibit possible security vulnerabilities as described below. These vulnerabilities are resolved by applying an EBF. Sybase recommends that customers update their installations as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website. This also affects those products that include ASE, Replication Server, Open Server/SDK, IQ, SQL Anywhere, EAServer, RAP, and Event Stream Processor.


Contents

This document contains the following sections:

  • Customer Alert
  • Recommendation

Customer Alert

Sybase is making this announcement proactively. This issue was reported to us by Application Security Inc. There have been no reported exploits of this vulnerability, and to date it has not been reported by a Sybase customer. Sybase, Inc. appreciates the efforts of Application Security Inc. to continually strengthen software throughout the industry by monitoring and testing. Specific credit for identifying this issue goes to Martin Rakhmanov.

Recommendations

Corrective Action

Update to the latest EBFs for applicable versions as detailed in tables below.

Tracking

Sybase is tracking this issue under the following CR# :

  • CR 694511 - Introduce randomization in TDS login protocol (CVSS Rating: 5.5)

Fixed Versions

ASE 15.7 ESD#1 on all platforms contains fixes for the issue noted above.

Note that for ASE 15.7, the fix is also included in ASE 15.7 ESD#1 N-Off, ASE 15.7 ESD#2 Refresh 1 and ASE 15.7 ESD#1 Refresh 2.

This CR is fixed in the following EBFs according to the affected product.

Products & Versions

Affected Product Version Fixed Version Notes
Adaptive Server Enterprise (ASE) 15.0.2 15.0.3 ESD#4.1 EBF can be used for localized versions
Adaptive Server Enterprise (ASE) 15.5 15.5 ESD#5.1 EBF can be used for localized versions
Adaptive Server Enterprise (ASE) 15.7 15.7 ESD#1 Refresh 2 EBF can be used for localized versions
Replication Server 15.1 15.2 ESD#3 ONE-Off EBF can be used for localized versions
Replication Server 15.2 15.2 ESD#3 ONE-Off EBF can be used for localized versions
Replication Server 15.5 15.6 ESD#3  
Replication Server 15.6 15.6 ESD#3  
Replication Server 15.7 15.7.1 EBF can be used for localized versions
RAP – The Trading Edition R4.0 Applicable ASE ESD will be needed only if using Monitor Server or Backup Server
RAP – The Trading Edition R4.1 Applicable ASE ESD will be needed only if using Monitor Server or Backup Server
EAServer 6.x 6.3.1 ESD#3  
Open Server 15.7 15.7 ESD#1 Only needed if using CT-Library
Open Server 15.5 15.5 ESD#12 Only needed if using CT-Library
SDK 15.7 15.7 ESD#1 Only needed if using CT-Library, ESQL/C, ESQL/Cobol, XA, ASE-Python, PHP, PERL modules, jConnect, ODBC, OLE DB or ADO.NET
SDK 15.5 15.5 ESD#12 Only needed if using CT-Library, ESQL/C, ESQL/Cobol, XA, jConnect, ODBC, OLE DB or ADO.NET
SQL Anywhere 12.0.1 12.01 Fixed in builds 3574, 3577, 3723, 3726, 3740
SQL Anywhere 11.0.1 11.01 Fixed in builds 2744, 2745, 2753
Event Stream Processor (ESP) 5.0 5.0 ESD #2  
Sybase IQ 15.4 15.4 ESD #1  
Sybase IQ 15.3 15.4 ESD #1  
Sybase IQ 15.2 15.4 ESD #1  
Sybase IQ 15.1 15.4 ESD #1  

Downloads

EBFs are obtained from the Sybase EBFs and Maintenance site.

http://downloads.sybase.com/

Follow the instructions in the EBF cover letter to install the EBF.


If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.

http://www.sybase.com/contactus/support

Copyright © 2012 Sybase, Inc. All rights reserved.



Back to Top
Home / Privacy / Contact / Terms of Use
© Copyright 2010, Sybase Inc.