Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 =========================================================================== AUSCERT Security Bulletin ASB-2013.0004 Urgent from Sybase: Security vulnerabilities in Adaptive Server Enterprise (ASE) 10 January 2013 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Sybase Adaptive Server Enterprise Operating System: HP-UX Linux variants AIX Windows Solaris Impact/Access: Execute Arbitrary Code/Commands -- Unknown/Unspecified Increased Privileges -- Existing Account Overwrite Arbitrary Files -- Unknown/Unspecified Denial of Service -- Unknown/Unspecified Unauthorised Access -- Unknown/Unspecified Resolution: Patch/Upgrade Member content until: Saturday, February 9 2013 OVERVIEW Vulnerabilities have been identified and fixed in Sybase Adaptive Server Enterprise. IMPACT From the Sybase website: "Sybase is making this announcement proactively. These security vulnerabilities were reported to us by Application Security Inc. There have been no reported exploits of these vulnerabilities, and to date it has not been reported by a Sybase customer. Sybase, Inc. appreciates the efforts of Application Security Inc. to continually strengthen software throughout the industry by monitoring and testing. Specific credit for identifying this issue goes to Martin Rakhmanov, and Esteban Martinez Fayo. Sybase is tracking these issues under the following CRs : CR# CVSS Issue Affected Versions 719878 8.3 Elevated roles with creating proxy All releases tables 720247 6.0 Elevated roles involving the ASE All releases plugin for Sybase Central and create table 696415 6.4 Elevated roles through SQL injection All releases 726532 4.9 Information disclosure through 15.0.3 and later installation log files on Windows platforms 711707 2.2 Arbitrary code execution via stack 15.7 and later overflow 712467 5.9 Denial of service on Windows All releases 712855 7.7 Arbitrary code execution via stack All releases overflow 722639 6.5 Server side file corruption 15.5 and later 719733 1.6 Arbitrary code execution through Java 15.0.3 and later in ASE" [1] MITIGATION From the Sybase website: "These issues are resolved by applying an ESD. Sybase recommends that customers update their installations as soon as possible. The ESDs are available for all versions of ASE for which customers have a valid support contract from the EBFs Download Area of the Sybase website." [1] REFERENCES [1] Urgent from Sybase: Security vulnerabilities in Adaptive Server Enterprise (ASE) http://www.sybase.com/detail?id=1099305 AusCERT has made every effort to ensure that the information contained in this document is accurate. However, the decision to use the information described is the responsibility of each user or organisation. The decision to follow or act on information or advice contained in this security bulletin is the responsibility of each user or organisation, and should be considered in accordance with your organisation's site policies and procedures. AusCERT takes no responsibility for consequences which may arise from following or acting on information or advice contained in this security bulletin. =========================================================================== Australian Computer Emergency Response Team The University of Queensland Brisbane Qld 4072 Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for member emergencies only. =========================================================================== -----BEGIN PGP SIGNATURE----- Comment: http://www.auscert.org.au/render.html?it=1967 iQIVAwUBUO9rWu4yVqjM2NGpAQKrvBAAwFh4rvhO3OX74A0bRQU/wdEe86bfy9ol shjD3b8TNovUG9CBvlWN4xp+VyT7w0GkmOWNkpmeIQ7sLpmhadLfbJrIb0CRq2yR hGqbipycNSIVut6ZPqoFUsEUIwT9Qglhc8PQdIygEcFenqQALle4DK9vBy+uirHC VOlreNBvyw1hGQs1sij/I0DaMd+KG0tVbCnbZFflBHgnd3Tu1FDZhleAqRlSEJNA 4N8AQcxRhiKmbX4EvIVP546gR5mLC2mBzmvas24aKhHRMOFf42gGHwehkgSd+ezn 1TQaoN8YGOTB65k4cTDP/+HQ0Lk4O+hTxA32y9FTezIV+251eNV3XMEj8GL9Ah6T 6iI/qsvWDeQ0wWJt/pIMbSQ7zqop3pfP8UbG3yST4HI/jpmehMdtnRW21Enwd0c8 20CtwN6S3vHa4G0UHS7vxTdIkfBQ0Tsyct3wHLJtIoBc8eC1aH7ged5OJ6B6aBVf Avv1HHMIonZ1TePdR/mR8OKua1Lza4LE96aFpYygJLWKqQNot6yLx5CBkr5B5czk Q8EMNEFSW6bUmz/TFtZghtiPVLnef44X/SiQ9p1VC1iHpniXyCVrRI7KAOxfOuZH PS5YRK0V+bm37v2eN1yad0sWcX++Dtt0uY3Pk2p7ZxoVgxaThLPdWKyN5UWA6KAo hxyRPILy9Ww= =TFFy -----END PGP SIGNATURE-----