Security Update for Adaptive Server Enterprise (ASE)
Summary: This notification describes a situation where ASE exhibits possible security issues as described below. These issues are resolved by applying an ESD. Sybase recommends that customers update their installations as soon as possible. The ESDs are available for all versions of ASE for which customers have a valid support contract from the EBFs Download Area of the Sybase website.
Sybase is issuing this notification proactively. To date there have been no exploits reported by Sybase customers or others.
Update to the latest ESDs for applicable versions as detailed in tables below.
Sybase is tracking these issues under the following CR#s :
|CR#||CVSS Base Score||CVSS Base Vector||Issue||Affected Versions||SAP Note||Finder|
|8.5||AV:N/AC:M/AU:S/C:C/I:C/A:C||Missing authorization check||All versions||1849356||Application Security, Inc|
|CR726532||4.9||AV:L/AC:L/AU:N/C:C/I:N/A:N||Potential information disclosure||15.0.3 and later||1809246||Application Security, Inc|
|CR729766||6.8||AV:N/AC:L/AU:S/C:C/I:N/A:N||Potential information disclosure||All versions||1887341||Positive Technologies|
|CR722777||5.4||AV:N/AC:H/AU:N/C:N/I:N/A:C||Potential denial of service||All versions||1887342||Application Security, Inc|
|CR731758||8.5||AV:N/AC:M/AU:S/C:C/I:C/A:C||Elevation of privileges||15.0.3 and later||1893440||Application Security, Inc|
|CR726352||6.1||AV:N/AC:H/AU:S/C:C/I:P/A:P||Directory traversal||15.0.3 and later||1893556||Application Security, Inc|
|CR732989||8.7||AV:N/AC:L/AU:S/C:C/I:P/A:C||Potential remote code execution||15.0.3 and later||1893558||Application Security, Inc|
|CR736689||9.0||AV:N/AC:L/AU:S/C:C/I:C/A:C||Potential remote code execution||All versions||1893560||Application Security, Inc|
|CR726934||6.3||AV:N/AC:M/AU:S/C:N/I:N/A:C||Potential denial of service||15.7 and later||1893561||Application Security, Inc|
|CR737762||7.2||AV:L/AC:L/AU:N/C:C/I:C/A:C||Potential information disclosure||All versions||1893562||Shenzhew Huawei Technology|
|ASE 15.7||15.7 SP100||EBF can be used for localized versions|
|ASE 15.7||15.7 SP50||EBF can be used for localized versions|
|ASE 15.5||15.5 ESD#5.3||EBF can be used for localized versions|
|ASE 15.0.3||15.0.3 ESD#4.3||EBF can be used for localized versions|
EBFs are obtained from the Sybase EBFs and Maintenance site.
Follow the instructions in the EBF cover letter to install the EBF.
If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website.
These issues were reported to Sybase by security researchers Martin Rakhmanov and Vladimir Zakharevich from Application Security, Inc; Yury Maryshev from Positive Technologies; and Shenzhew Huawei Technology Company. Sybase appreciates the efforts of these researchers to continually strengthen software security throughout the industry by monitoring and testing.
Copyright © 2013 Sybase, Inc. All rights reserved.