- SAP Community
- Products and Technology
- Technology
- Technology Q&A
- What's the story? "Security vulnerability ... also...
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for
Options
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
What's the story? "Security vulnerability ... also affecting ... SQL Anywhere"
Breck_Carter
Participant
Options
- Subscribe to RSS Feed
- Mark Question as New
- Mark Question as Read
- Bookmark
- Subscribe
- Printer Friendly Page
- Report Inappropriate Content
on 2012 Jul 24 3:12 PM
5,761
- SAP Managed Tags:
- SAP SQL Anywhere
I'm guessing this urgent email mentions SQL Anywhere because of TDS, but it contains no further information related to SQL Anywhere... so, what's the story here?
Does it have to do with this, from a recent SQL Anywhere EBF readme?
================(Build #3519 - Engineering Case #692216)================
A problem with TDS secure logins has been corrected.
Here is the email...
from: css_ucn@sybase.com
to: Sybase Customer Services & Support <css_ucn@sybase.com>
date: Tue, Jul 24, 2012 at 12:56 PM
subject: Urgent from Sybase: Security vulnerability ASE 15.0.3
and Later, also affecting Replication Server, OpenServer/SDK, IQ,
SQL Anywhere, EA Server, RAP, and Event Stream Processor
July 2012
Urgent from Sybase: Security vulnerability ASE 15.0.3 and Later. This also
affects Replication Server, OpenServer/SDK, IQ, SQL Anywhere, EA Server,
RAP, and Event Stream Processor.
You are receiving this notification because you are, or have been, a
designated Sybase Technical Support Contact, with a license for one of the
affected products.
Attached is a TechNote that describes the problem and solution.
We apologise for any inconvenience this problem may have caused you and
your company. We have communicated this problem to you as soon as possible
to minimize or eliminate any impact on your business. We would like to
encourage each of you to connect periodically to the technical support
section of MySybase (http://www.sybase.com/support) for continued updates.
If this email does not display correctly the document can be accessed at
http://www.sybase.com/detail?id=1098869
Sybase Customer Service and Support
Urgent from Sybase: Security vulnerability ASE 15.0.3 and Later. This also
affects Replication Server, OpenServer/SDK, IQ, SQL Anywhere, EA Server,
RAP, and Event Stream Processor.
Summary: This notification describes a situation where ASE 15.0.3 and later
versions exhibit possible security vulnerabilities as described below.
These vulnerabilities are resolved by applying an EBF. Sybase recommends
that customers update their installations as soon as possible. The EBFs are
available from the EBFs Download Area of the Sybase website. This also
affects those products that include ASE, Replication Server, Open
Server/SDK, IQ, SQL Anywhere, EAServer, RAP, and Event Stream Processor.
Contents
This document contains the following sections:
Customer Alert
Recommendation
Customer Alert
Sybase is making this announcement proactively. This issue was reported to
us by Application Security Inc. There have been no reported exploits of
this vulnerability, and to date it has not been reported by a Sybase
customer. Sybase, Inc. appreciates the efforts of Application Security Inc.
to continually strengthen software throughout the industry by monitoring
and testing. Specific credit for identifying this issue goes to Martin
Rakhmanov.
Recommendations
Corrective Action
Update to the latest EBFs for applicable versions as detailed in tables
below.
Tracking
Sybase is tracking this issue under the following CR# :
CR 694511 - Introduce randomization in TDS login protocol (CVSS
Rating: 5.5)
Fixed Versions
ASE 15.7 ESD#1 on all platforms contains fixes for the issue noted above.
Note that for ASE 15.7, the fix is also included in ASE 15.7 ESD#1 N-Off,
ASE 15.7 ESD#2 Refresh 1 and ASE 15.7 ESD#1 Refresh 2.
This CR is fixed in the following EBFs according to the affected product.
Fixed Products & Versions
|--------------------------------------+------------------------>
| | |
| Product | Version |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| Notes |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| Adaptive Server Enterprise (ASE) | 15.0.3 ESD#4.1 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| EBF can be used for localized versions |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| Adaptive Server Enterprise (ASE) | 15.5 ESD#5.1 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| EBF can be used for localized versions |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| Adaptive Server Enterprise (ASE) | 15.7 ESD#1 Refresh 2 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| EBF can be used for localized versions |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| Replication Server | 15.2 ESD#3 ONE-Off |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| EBF can be used for localized versions |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| Replication Server | 15.6 ESD#3 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| Replication Server | 15.7.1 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| EBF can be used for localized versions |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| RAP – The Trading Edition | R4.1 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| Applicable ASE ESD will be needed only if using Monitor Server or Backup Server |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| EAServer | 6.3.1 ESD#3 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| SDK | 15.7 ESD#1 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| SDK | 15.5 ESD#12 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| Open Server | 15.7 ESD#1 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| Open Server | 15.5 ESD#12 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
|--------------------------------------+------------------------>
| | |
| IQ | 15.4 ESD #1 |
| | |
|--------------------------------------+------------------------>
>-------------------------------------------------------------------------------------------------------------------------------------|
| |
| |
| |
>-------------------------------------------------------------------------------------------------------------------------------------|
Downloads
EBFs are obtained from the Sybase EBFs and Maintenance site.
http://downloads.sybase.com/
Follow the instructions in the EBF cover letter to install the EBF.
If you require further assistance please contact your local support center.
The contact numbers can be found in the About Support section under Support
& Services at the www.sybase.com website.
http://www.sybase.com/contactus/support
Copyright © 2012 Sybase, Inc. All rights reserved.
Need more details?
Request clarification before answering.
Accepted Solutions (0)
Answers (1)
Answers (1)
jeff_albion
Product and Topic Expert
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Jul 24
3:40 PM
I believe the equivalent fix for SQL Anywhere is CR #692216, fixed in SQL Anywhere versions 11.0.1.2724 and 12.0.1.3519, and up.
Please see our EBF Website to download the EBF patch: http://downloads.sybase.com/swd/summary.do?baseprod=144&client=ianywhere&timeframe=0
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
former_SQLA_mem
Participant
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Jul 24
4:41 PM
MarkCulp
Participant
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Jul 24
5:09 PM
former_SQLA_mem
Participant
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Jul 24
10:06 PM
Thanks Breck.
I expected Sybase would inform such a critical event in this forum so we could also inform our users to upgrade to the latest build ASAP.
former_SQLA_mem
Participant
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Jul 25
5:03 AM
Not even for a security vulnerability that was fixed a month before v10 went end of life, that's pretty poor isn't it ?
Former Member
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Jul 25
12:22 PM
MarkCulp
Participant
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Jul 25
12:24 PM
former_SQLA_mem
Participant
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Jul 25
12:24 PM
jeff_albion
Product and Topic Expert
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Jul 25
12:29 PM
Yes, this is correct that TDS connections are accepted by default - if you use TCP/IP communications but do not support jConnect or Open Client connections, you can ensure that you are not affected by this issue by using -x tcpip(TDS=NO):
http://dcx.sybase.com/index.html#1201/en/dbadmin/tds-conparm.html
However, the issue affects TDS secure logins specifically, so if you do not have any TDS connections making logins, you will also not be exposed to this bug and yes, you would not have to apply the EBF for this use-case.
former_SQLA_mem
Participant
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Jul 25
12:33 PM
So just to be clear, the only way we'll ever be able to secure v10 databases is to never use jConnect or Open client after stopping them all and adding that to the start-up ?
Former Member
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Jul 25
12:38 PM
former_SQLA_mem
Participant
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Aug 07
5:37 AM
Can anyone from Sybase confirm this officially ?
VolkerBarth
Contributor
- Mark as New
- Bookmark
- Subscribe
- Subscribe to RSS Feed
- Report Inappropriate Content
2012 Aug 07
8:01 AM
I second that question, and also ask that one:
What exactly is a "TDS secure login", and can I use a TDS connection without a secure login? - If the latter is true (and also the default - which I guess), then for these connections no (additional) security problem has been noticed, and why should one worry then?
AFAIK, a secure login would require the use of jConnect's ENCRYPT_PASSWORD connection property - but I'm not securesure...
Ask a Question
Related Content
- Apache Tomcat upgradation for SAP Power Designer (8.5.43 to Latest Apache Tomcat) in Technology Q&A
- Implementing SAP DevOps Practices to Streamline Software Testing and Delivery in Technology Blog Posts by Members
- How Modern ERP Solutions Are Becoming Accessible for Businesses of All Sizes in Technology Q&A
- SAP Crystal Reports 2020 Patch 1 Version 14.3.0.3569 CR Developer software (Log4j) in Technology Q&A
- How DevSecOps as a Service Transforms Agile Testing Workflows in Technology Blog Posts by Members
Top Q&A Solution Author
| User | Count |
|---|---|
| 68 | |
| 15 | |
| 12 | |
| 7 | |
| 7 | |
| 4 | |
| 4 | |
| 4 | |
| 4 | |
| 3 |
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.