Switch to standard view 
  Sybase logo
 
 
 



Urgent from Sybase: Security vulnerabilities in Adaptive Server Enterprise (ASE)

Summary: This notification describes a situation where ASE exhibits possible security issues as described below. These issues are resolved by applying an ESD. Sybase recommends that customers update their installations as soon as possible. The ESDs are available for all versions of ASE for which customers have a valid support contract from the EBFs Download Area of the Sybase website.


Contents

This document contains the following sections:

  • Customer Alert
  • Recommendation

Customer Alert

Sybase is making this announcement proactively. These security vulnerabilities were reported to us by Application Security Inc. There have been no reported exploits of these vulnerabilities, and to date it has not been reported by a Sybase customer. Sybase, Inc. appreciates the efforts of Application Security Inc. to continually strengthen software throughout the industry by monitoring and testing. Specific credit for identifying this issue goes to Martin Rakhmanov, and Esteban Martinez Fayo. Please see the table for details of who reported each issue.

Recommendations

Corrective Action

Update to the latest ESDs for applicable versions as detailed in tables below.

Tracking

Sybase is tracking these issues under the following CRs :

CR# CVSS Issue Affected Versions Reporter
719878 8.3 Elevated roles with creating proxy tables All releases Martin Rakhmanov
720247 6.0 Elevated roles involving the ASE plugin for Sybase Central and create table All releases Esteban Martinez Fayo
696415 6.4 Elevated roles through SQL injection All releases Martin Rakhmanov
726532 4.9 Information disclosure through installation log files on Windows platforms 15.0.3 and later Martin Rakhmanov
711707 2.2 Arbitrary code execution via stack overflow 15.7 and later Martin Rakhmanov
712467 5.9 Denial of service on Windows All releases Martin Rakhmanov
712855 7.7 Arbitrary code execution via stack overflow All releases Martin Rakhmanov
722639 6.5 Server side file corruption 15.5 and later Martin Rakhmanov
719733 1.6 Arbitrary code execution through Java in ASE 15.0.3 and later Martin Rakhmanov

Fixed Versions

Product Version Notes
ASE 15.7 15.7 ESD#3 EBF can be used for localized versions
Sybase Central ASE Plugin for ASE 15.7 ASE Plugin for ASE 15.7 ESD#3 Sybase Central and ASE Plug-in for 15.7 ESD#3 is a separate download from the ASE15.7 ESD#3 download
ASE 15.5 15.5 ESD#5.2 EBF can be used for localized versions
ASE 15.0.3 15.0.3 ESD#4.2 EBF can be used for localized versions

Downloads

EBFs are obtained from the Sybase EBFs and Maintenance site.

http://downloads.sybase.com/

Follow the instructions in the EBF cover letter to install the EBF.


If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.

http://www.sybase.com/contactus/support


Copyright © 2013 Sybase, Inc. All rights reserved.



Back to Top
© Copyright 2010, Sybase Inc.