Switch to standard view 
  Sybase logo
 
 
 



Symptom

Products packaged with OpenSSL 1.0.1 through 1.0.1f (inclusive) are vulnerable, which leads to this informational disclosure.

 

Environment

  • ASE 16 on any OS Platforms
  • ASE 15.7 on any OS Platforms
  • IQ 15.4 ESD4 on any OS Platform
  • IQ 16.0 SP02 on any OS Platform
  • IQ 16.0 SP03 on any OS Platform
  • Replication Server 15.7.1 on Any Platform
  • PowerDesigner 16.5 SP02 on any OS Platform
  • PowerDesigner 16.5 SP03 on any OS Platform
  • PowerAMC 16.5 SP02 on any OS Platform
  • SQL Anywhere 12.0.1 on any OS Platform
  • SQL Anywhere 16.0 on any OS Platform
  • SQL Anywhere OnDemand 1.0 on any OS Platform
  • Mobile Platform SMP and SDK 3.0 on Windows
  • Mobile Platform SMP and SDK 2.3 on Mac
  • Afaria 7
  • Relay Server
  • Agentry
  • Software Develper Kit (SDK) 15.7 on any OS Platform
  • Software Develper Kit (SDK) 16.0 on any OS Platform
  • Open Server 15.7 on any OS Platform
  • Open Server 16.0 on any OS Platform
  • SDK for SAP ASE 15.7 on any OS Platform
  • SDK for SAP ASE 16.0 on any OS Platform
  • ECDA (Enterprise Data Connect Access) 15.7 on any OS Platform

 

Cause

Deficiencies in releases of OpenSSL libraries:

The SSL, TLS and DTLS implementations in OpenSSL versions 1.0.1 through 1.0.1f (inclusive) do not securely handle Heartbeat Extension packets. This may allow remote attackers to obtain sensitive information that applications use for establishing secured communication with SSL.

For more information about the OpenSSL vulnerability (Heartbleed bug), you can refer to http://heartbleed.com and the OpenSSL advisory: http://www.openssl.org/news/secadv_20140407.txt.

 

Solution

SAP has issued fixes for the following products that use OpenSSL cryptographic libraries which have been reported as vulnerable to CVE-2014-0160. Install the fixed product versions most appropriate for your production environment. As an additional security measure to installing the patch in affected installations, it is recommended to:

  • Revoke compromised certificates and keys
  • Reissue and distribute new certificates and keys
  • Change compromised passwords

The fixed versions are obtained from the Sybase EBFs and Maintenance site:

http://downloads.sybase.com/

Follow the instructions in the EBF cover letter to install the EBF.


Products:

Product

Platform

Feature Enabled

Affected Versions

Fixed Versions

ASE, including ASE Cluster Edition

Any Platform

SSL/TLS

ASE 15.7 SP60, SP61

ASE 15.7 SP100, SP101, SP102, SP103

ASE 15.7 SP110, SP120, SP121

ASE 16.0

ASE 15.7 SP62

ASE 15.7 SP104

ASE 15.7 SP111, SP122

ASE 16.0 PL01

PowerDesigner Physical Model Any Platform   PD Physical Model 16.5 SP03 for ASE 16.0 PD Physical Model 16.5 SP03 PL02 for ASE 16.0 PL01
IQ Any Platform  

IQ 15.4 ESD4

IQ 16.0 SP02, SP03

IQ 15.4 ESD4 PL2

IQ 16.0 SP04

Replication Server Any Platform Only if SSL enabled

Replication Server 15.7.1 SP100, SP101, SP102, SP110, SP111, SP120

Replication Server 15.7.1 SP200

Replication Server 15.7.1 SP121

Replication Server 15.7.1 SP201

PowerDesigner Any Platform   PowerDesigner 16.5 SP02, SP03 PowerDesigner 16.5 SP03 PL02
Power AMC Any Platform   PowerAMC 16.5 SP02, SP03
Power AMC 16.5 SP03 PL02
SQL Anywhere Any Platform  (Database Server)
  TLS Clients
  HTTPS Web Services
  HTTPS Procedures

(MobiLink Server)
  TLS
  HTTPS

(Relay Server Outbound Enabler)
  HTTPS

SQL Anywhere 12.0.1  SP66, SP68 , SP69, & SP70

SQL Anywhere 16.0 SP6, SP7, SP8, SP9

SQL Anywhere 12.0.1 SP71 (all except Mac OS X, Linux, Windows), SP72 for Windows, SP73 for Mac OS X, SP74 for Linux

SQL Anywhere 16.0 SP11 (all except Mac OS X, Linux, Windows), SP12 for Mac OS X, SP13 for Linux

SQL Anywhere OnDemand Any Platform  (Database Server)
  TLS Clients
  HTTPS Web Services
  HTTPS Procedures
SQL Anywhere OnDemand 1.0 SP4 SQL Anywhere OnDemand 1.0 SP5
Mobile Platform
Any Platform Agentry Server
SMP Runtime Server

SMP 2.3 SP00, SP01, SP02, SP03, SP04

SMP 3.0 SP00, SP01, SP02, SP03

SMP 2.3 SP04 PL01

SMP 3.0 SP03 PL01

Mobile Platform SDK Any Platform

Agentry Android Client
Agentry Win32 Client
Agentry WinCE Client
Hybrid Web Container

OData Cache
Agentry Android Client

SMP SDK 2.3 SP00, SP01, SP02, SP03, SP04

SMP SDK 3.0 SP00, SP01, SP02, SP03

SMP SDK 2.3 SP04 PL01

SMP SDK 3.0 SP03 PL01

Afaria Any Platform   Afaria 7 SP4, including HotFixes 1-4 (HF01-HF04)
Afaria 7 SP4 HotFix 5 (HF05)
Relay Server Any Platform   Relay Server  
Agentry

Windows

 

Agentry Server
Agentry Android Client
Agentry Win32 Client
Agentry WinCE Client

Agentry 6.0 Agentry 6.0.40.1
Software Developer Kit (SDK) Any Platform  

Software Developer Kit 15.7 ESD#6, ESD #7, SP100, SP101, SP102, SP103, SP110, SP111, SP120, SP121, SP122, SP123, SP124, SP125

Software Developer Kit 15.7 SP126
Open Server Any Platform  

Open Server 15.7 ESD#6, ESD #7, SP100, SP101, SP102, SP103, SP110, SP111, SP120, SP121, SP122, SP123, SP124, SP125

Open Server 16.0, 16.0 PL01

 

Open Server 15.7 SP126

Open Server 16.0 PL02

SDK for SAP ASE Any Platform  

SDK for SAP ASE 15.7 SP122, SP123, SP124, SP125

SDK for SAP ASE 16.0, 16.0 PL01

SDK for SAP ASE 15.7 SP126

SDK for SAP ASE 16.0 PL02

ECDA Any Platform   ECDA 15.7, 15.7 SP01 ECDA 15.7 SP02

Installations not using any of the above platform, feature and version combinations are safe from this vulnerability.

This page will be updated as more information becomes available.

Frequently Asked Questions

Q1. For the heartbleed exploit, must SSL in ASE be enabled?
A1. Yes.

Q2. For the heartbleed exploit, must the version of ASE be one of those listed above?
A2. Yes.

Q3. For the heartbleed exploit, is the ability to login to ASE necessary?
A3.  See CVSS vector for this vulnerability in the National Vulnerability Database:
       http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0160. From the CVSS vector in the above, we can see that authentication is not required to exploit this vulnerability.

Q4.  If the SSL connectivity is within the infrastructure between the webserver and the database, will access to the internal network be required to exploit the heartbleed vulnerability?
A4.  This vulnerability can be exploited by anyone who can access the TLS/SSL port on which the server is listening for incoming connections.

Q5.  What does it take to establish a database connection and hold it long enough to initiate a Heatbeat? Does any login restriction prevent this?
A5.  See the answer to Q3 above. Authentication is not required to exploit this vulnerability.

Q6.  What is the ETA for the patch to be delivered to address this?
A6.  Fixed ASE versions will be posted on the SAP and Sybase websites as fixes become available. SAP security teams are working to make fixes available to customers in an expeditious manner.

Q7.  Is there anything else SAP can tells about detecting the potential cases for the heartbleed exploit?

A7.  For more information on the heartbleed vulnerability, please refer to the heartbleed website at: http://heartbleed.com/.

 

Keywords

Information disclosure, OpenSSL vulnerability, Heartbleed bug, CVE-2014-0160



Back to Top
© Copyright 2010, Sybase Inc.