Urgent from Sybase: Security vulnerabilities in Adaptive Server Enterprise (ASE)
Summary: This notification describes a situation where ASE exhibits possible security issues as described below. These issues are resolved by applying an ESD. Sybase recommends that customers update their installations as soon as possible. The ESDs are available for all versions of ASE for which customers have a valid support contract from the EBFs Download Area of the Sybase website.
Contents
This document contains the following sections:
- Customer Alert
- Recommendation
Customer Alert
Sybase is making this announcement proactively. These security vulnerabilities were reported to us by Application Security Inc. There have been no reported exploits of these vulnerabilities, and to date it has not been reported by a Sybase customer. Sybase, Inc. appreciates the efforts of Application Security Inc. to continually strengthen software throughout the industry by monitoring and testing. Specific credit for identifying this issue goes to Martin Rakhmanov, and Esteban Martinez Fayo. Please see the table for details of who reported each issue.
Recommendations
Corrective Action
Update to the latest ESDs for applicable versions as detailed in tables below.
Tracking
Sybase is tracking these issues under the following CRs :
| CR# |
CVSS |
Issue |
Affected Versions |
Reporter |
| 719878 |
8.3 |
Elevated roles with creating proxy tables |
All releases |
Martin Rakhmanov |
| 720247 |
6.0 |
Elevated roles involving the ASE plugin for Sybase Central and create table |
All releases |
Esteban Martinez Fayo |
| 696415 |
6.4 |
Elevated roles through SQL injection |
All releases |
Martin Rakhmanov |
| 726532 |
4.9 |
Information disclosure through installation log files on Windows platforms |
15.0.3 and later |
Martin Rakhmanov |
| 711707 |
2.2 |
Arbitrary code execution via stack overflow |
15.7 and later |
Martin Rakhmanov |
| 712467 |
5.9 |
Denial of service on Windows |
All releases |
Martin Rakhmanov |
| 712855 |
7.7 |
Arbitrary code execution via stack overflow |
All releases |
Martin Rakhmanov |
| 722639 |
6.5 |
Server side file corruption |
15.5 and later |
Martin Rakhmanov |
| 719733 |
1.6 |
Arbitrary code execution through Java in ASE |
15.0.3 and later |
Martin Rakhmanov |
Fixed Versions
| Product |
Version |
Notes |
| ASE 15.7 |
15.7 ESD#3 |
EBF can be used for localized versions |
| Sybase Central ASE Plugin for ASE 15.7 |
ASE Plugin for ASE 15.7 ESD#3 |
Sybase Central and ASE Plug-in for 15.7 ESD#3 is a separate download from the ASE15.7 ESD#3 download |
| ASE 15.5 |
15.5 ESD#5.2 |
EBF can be used for localized versions |
| ASE 15.0.3 |
15.0.3 ESD#4.2 |
EBF can be used for localized versions |
Downloads
EBFs are obtained from the Sybase EBFs and Maintenance site.
http://downloads.sybase.com/
Follow the instructions in the EBF cover letter to install the EBF.
If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.
http://www.sybase.com/contactus/support
Copyright © 2013 Sybase, Inc. All rights reserved.
Back to Top
