I'm guessing this urgent email mentions SQL Anywhere because of TDS, but it contains no further information related to SQL Anywhere... so, what's the story here? Does it have to do with this, from a recent SQL Anywhere EBF readme? ================(Build #3519 - Engineering Case #692216)================ A problem with TDS secure logins has been corrected. Here is the email... from: css_ucn@sybase.com to: Sybase Customer Services & Support <css_ucn@sybase.com> date: Tue, Jul 24, 2012 at 12:56 PM subject: Urgent from Sybase: Security vulnerability ASE 15.0.3 and Later, also affecting Replication Server, OpenServer/SDK, IQ, SQL Anywhere, EA Server, RAP, and Event Stream Processor July 2012 Urgent from Sybase: Security vulnerability ASE 15.0.3 and Later. This also affects Replication Server, OpenServer/SDK, IQ, SQL Anywhere, EA Server, RAP, and Event Stream Processor. You are receiving this notification because you are, or have been, a designated Sybase Technical Support Contact, with a license for one of the affected products. Attached is a TechNote that describes the problem and solution. We apologise for any inconvenience this problem may have caused you and your company. We have communicated this problem to you as soon as possible to minimize or eliminate any impact on your business. We would like to encourage each of you to connect periodically to the technical support section of MySybase (http://www.sybase.com/support) for continued updates. If this email does not display correctly the document can be accessed at http://www.sybase.com/detail?id=1098869 Sybase Customer Service and Support Urgent from Sybase: Security vulnerability ASE 15.0.3 and Later. This also affects Replication Server, OpenServer/SDK, IQ, SQL Anywhere, EA Server, RAP, and Event Stream Processor. Summary: This notification describes a situation where ASE 15.0.3 and later versions exhibit possible security vulnerabilities as described below. These vulnerabilities are resolved by applying an EBF. Sybase recommends that customers update their installations as soon as possible. The EBFs are available from the EBFs Download Area of the Sybase website. This also affects those products that include ASE, Replication Server, Open Server/SDK, IQ, SQL Anywhere, EAServer, RAP, and Event Stream Processor. Contents This document contains the following sections: Customer Alert Recommendation Customer Alert Sybase is making this announcement proactively. This issue was reported to us by Application Security Inc. There have been no reported exploits of this vulnerability, and to date it has not been reported by a Sybase customer. Sybase, Inc. appreciates the efforts of Application Security Inc. to continually strengthen software throughout the industry by monitoring and testing. Specific credit for identifying this issue goes to Martin Rakhmanov. Recommendations Corrective Action Update to the latest EBFs for applicable versions as detailed in tables below. Tracking Sybase is tracking this issue under the following CR# : CR 694511 - Introduce randomization in TDS login protocol (CVSS Rating: 5.5) Fixed Versions ASE 15.7 ESD#1 on all platforms contains fixes for the issue noted above. Note that for ASE 15.7, the fix is also included in ASE 15.7 ESD#1 N-Off, ASE 15.7 ESD#2 Refresh 1 and ASE 15.7 ESD#1 Refresh 2. This CR is fixed in the following EBFs according to the affected product. Fixed Products & Versions |--------------------------------------+------------------------> | | | | Product | Version | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | Notes | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | Adaptive Server Enterprise (ASE) | 15.0.3 ESD#4.1 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | EBF can be used for localized versions | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | Adaptive Server Enterprise (ASE) | 15.5 ESD#5.1 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | EBF can be used for localized versions | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | Adaptive Server Enterprise (ASE) | 15.7 ESD#1 Refresh 2 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | EBF can be used for localized versions | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | Replication Server | 15.2 ESD#3 ONE-Off | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | EBF can be used for localized versions | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | Replication Server | 15.6 ESD#3 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | Replication Server | 15.7.1 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | EBF can be used for localized versions | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | RAP – The Trading Edition | R4.1 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | Applicable ASE ESD will be needed only if using Monitor Server or Backup Server | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | EAServer | 6.3.1 ESD#3 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | SDK | 15.7 ESD#1 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | SDK | 15.5 ESD#12 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | Open Server | 15.7 ESD#1 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | Open Server | 15.5 ESD#12 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | | | | >-------------------------------------------------------------------------------------------------------------------------------------| |--------------------------------------+------------------------> | | | | IQ | 15.4 ESD #1 | | | | |--------------------------------------+------------------------> >-------------------------------------------------------------------------------------------------------------------------------------| | | | | | | >-------------------------------------------------------------------------------------------------------------------------------------| Downloads EBFs are obtained from the Sybase EBFs and Maintenance site. http://downloads.sybase.com/ Follow the instructions in the EBF cover letter to install the EBF. If you require further assistance please contact your local support center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website. http://www.sybase.com/contactus/support Copyright © 2012 Sybase, Inc. All rights reserved. |
I believe the equivalent fix for SQL Anywhere is CR #692216, fixed in SQL Anywhere versions 11.0.1.2724 and 12.0.1.3519, and up. Please see our EBF Website to download the EBF patch: http://downloads.sybase.com/swd/summary.do?baseprod=144&client=ianywhere&timeframe=0 Probably a silly question, but does that mean it doesn't effect v10 ?
(24 Jul '12, 15:41)
Daz Liquid
Replies hidden
Not a silly question. The answer is yes, the issue does affect v10 and earlier SA versions (that supported TDS) but since these versions are EOL'ed there are no updates for them.
(24 Jul '12, 16:09)
Mark Culp
Comment Text Removed
4
Thanks Breck.
(24 Jul '12, 21:06)
Derli Marcochi
4
Not even for a security vulnerability that was fixed a month before v10 went end of life, that's pretty poor isn't it ?
(25 Jul '12, 04:03)
Daz Liquid
Comment Text Removed
Comment Text Removed
To clarify, if we don't use OpenClient or jConnect, then we don't have to apply the EBF, right?
(25 Jul '12, 11:22)
Seth_Krieger
Replies hidden
Correct. The issue only affected TDS connections.
(25 Jul '12, 11:24)
Mark Culp
I thought TDS was enabled by default and you had to use TDS=NO to disable it, but I'm sure someone will clarify that.
(25 Jul '12, 11:24)
Daz Liquid
Yes, this is correct that TDS connections are accepted by default - if you use TCP/IP communications but do not support jConnect or Open Client connections, you can ensure that you are not affected by this issue by using http://dcx.sybase.com/index.html#1201/en/dbadmin/tds-conparm.html However, the issue affects TDS secure logins specifically, so if you do not have any TDS connections making logins, you will also not be exposed to this bug and yes, you would not have to apply the EBF for this use-case.
(25 Jul '12, 11:29)
Jeff Albion
1
So just to be clear, the only way we'll ever be able to secure v10 databases is to never use jConnect or Open client after stopping them all and adding that to the start-up ?
(25 Jul '12, 11:33)
Daz Liquid
It does look that way from the docs, so in the words of Dr. Venkman, "OK. Important safety tip." We'll advise our customers to add TDS=NO to the tcpip parameters in their server startup command.
(25 Jul '12, 11:38)
Seth_Krieger
I second that question, and also ask that one: What exactly is a "TDS secure login", and can I use a TDS connection without a secure login? - If the latter is true (and also the default - which I guess), then for these connections no (additional) security problem has been noticed, and why should one worry then? AFAIK, a secure login would require the use of jConnect's ENCRYPT_PASSWORD connection property - but I'm not
(07 Aug '12, 07:01)
Volker Barth
|