Not the best week Sybase ever had

    By: Mr. Adrian Bridgwater on Nov 01, 2012

    Sybase isn’t having a good week.

    Former CEO John Chen has left the building (and the company)… and now the firm has had to issue a new batch of patches to cover over previous fixes to the Adaptive Server Enterprise enterprise-class relational model database. 

    Initial Security updates were issued in July of this year.

    The Sybase website itself details the vulnerabilities as follows:

    Urgent from Sybase: Security vulnerabilities in ASE 15.0.3 and later. Plus potential hang and data loss issue.

    Summary: This notification describes a situation where ASE 15.0.3 and later versions exhibit possible security vulnerabilities. It also describes a situation where ASE can potentially hang or suffer from data consistency issues. All of these issues are resolved by applying an EBF. Sybase recommends that customers update their installations as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website.


    A good proportion of these bugs are in fact privilege escalation issues, but there are also others that could allow attackers to execute arbitrary code.

    Bugs CR #694649 has a whopping severity rating of 8.3 on scale of 1 to 10.

    Sybase CTO of application security Josh Shaul has blogged to say the following…

    “For the other 10 issues, Sybase made unsuccessful fixes. With very minor modifications to the original proof of concept code TeamSHATTER sent to Sybase in our initial vulnerability report, the exploits still work."

    Shaul continued, "It appears that Sybase blocked the specific exploit code we submitted without fixing the underlying vulnerability, and then performed insufficient testing and code review to notice the problem before shipping the patches and publicly disclosing the vulnerability information.”

    Parent company SAP had its own statement to issue in response to this vulnerability which reads as follows…

    "SAP takes very seriously any security vulnerability issues from its products."

    "Customers will be notified immediately about the vulnerabilities that exist in the various in-market releases of SAP Sybase ASE. It should be noted that the vulnerabilities are protected against any attacks from non-authenticated logins. Currently, there are no reported cases of attacks on these vulnerabilities in SAP Sybase ASE installations at customer sites."



    Released: November 1, 2012, 6:40 am | Updated: March 22, 2014, 3:27 pm
    Keywords: ASE News | ASE | Security




    Copyright © 2014 ISUG-TECH. All Rights Reserved
    All material, files, logos and trademarks within this site are copyright their respective organizations

    Terms of Service - Privacy Policy - Contact the Help Desk