Switch to standard view 
  Sybase logo
 
 
 



Urgent from Sybase: Security vulnerabilities in ASE 15.0.3 and later. Plus potential hang and data loss issue.

Summary: This notification describes a situation where ASE 15.0.3 and later versions exhibit possible security vulnerabilities as described below. It also describes a situation where ASE can potentially hang or suffer from data consistency issues. All of these issues are resolved by applying an EBF. Sybase recommends that customers update their installations as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website.


Contents

This document contains the following sections:

  • Customer Alert
  • Recommendation

Customer Alert

Sybase is making this announcement proactively. This security vulnerabilities were reported to us by Application Security Inc. There have been no reported exploits of these vulnerabilities, and to date it has not been reported by a Sybase customer. Sybase, Inc. appreciates the efforts of Application Security Inc. to continually strengthen software throughout the industry by monitoring and testing. Specific credit for identifying this issue goes to Martin Rakhmanov, Esteban Martinez Fayo, and Ernesto Cullen. Please see the table for details of who reported each issue.

Recommendations

Corrective Action

Update to the latest EBFs for applicable versions as detailed in tables below.

Tracking

Sybase is tracking these issues under the following CRs :

CR# CVSS Issue Affected Versions Reporter
689823 8.3 Elevated roles though DBCC All releases Martin Rakhmanov
694649 8.3 Elevated roles with creating proxy tables All releases Martin Rakhmanov
700185 8.3 Elevated roles with creating proxy tables All releases Martin Rakhmanov
691586 2.1 Arbitrary code execution through Java in ASE All releases Martin Rakhmanov
694791 1.6 Arbitrary code execution through Java in ASE All releases Martin Rakhmanov
691642 2.1 Elevated roles for a Java method in ASE All releases Esteban Martinez Fayo
693482 5.7 Elevated roles with sp_setreptable All releases Martin Rakhmanov
693731 5.1 Elevated roles with create index All releases Martin Rakhmanov
693839 6.0 Elevated roles involving the ASE plugin for Sybase Central and create table All releases Esteban Martinez Fayo
694729 6.4 Elevated roles with alter table ASE 15.7 GA Martin Rakhmanov
694812 1.6 Elevated file access permissions using Java on Windows platforms All releases Martin Rakhmanov
701980 0.9 Elevated roles for a Java method in ASE All releases Ernesto Cullen
707149 NA If chained transactions are used with DOL tables in a highly concurrent environment there is a slight possibility of a server hang or data loss ASE 15.7 ESD#1
ASE 15.5 ESD#5
ASE 15.5 ESD#3 one-off
ASE 15.5 EBF 19182
NA

Fixed Versions

Product Version Notes
Adaptive Server Enterprise (ASE) - all editions 15.0.3 ESD#4.1 EBF can be used for localized versions
15.5 ESD#5.1 EBF can be used for localized versions
15.7 ESD#1 Refresh 1
15.7 ESD#1 Refresh 2
EBF can be used for localized versions

Downloads

EBFs are obtained from the Sybase EBFs and Maintenance site.

http://downloads.sybase.com/

Follow the instructions in the EBF cover letter to install the EBF.


If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.

http://www.sybase.com/contactus/support


Copyright © 2012 Sybase, Inc. All rights reserved.



Back to Top
© Copyright 2010, Sybase Inc.