Sybase Adaptive Server Enterprise Security Patches Fail to Fix Flaws
Sybase has a new round of patches on the way to replace updates to its Adaptive Server Enterprise product that did not fully fix 10 vulnerabilities.Several security fixes issued in July by Sybase failed to fully address vulnerabilities in versions of its flagship Adaptive Server Enterprise product. The vulnerabilities exist in versions 15.0.3 and later. According to database security firm Application Security, just two of the 12 flaws the company reported to Sybase earlier this year have been truly fixed. Many of the bugs are privilege escalation issues, while others allow attackers to execute arbitrary code. The most serious of the bugs, CR #694649, has a severity rating of 8.3 on a 10.0 scale. "The two that were properly fixed are CRs 689823 and 691642," explained Josh Shaul, CTO of Application Security, in a blog post. "For the other 10 issues, Sybase made unsuccessful fixes. With very minor modifications to the original proof of concept code [Application Security's TEAMSHATTER] sent to Sybase in our initial vulnerability report, the exploits still work. It appears that Sybase blocked the specific exploit code we submitted without fixing the underlying vulnerability, and then performed insufficient testing and code review to notice the problem before shipping the patches and publicly disclosing the vulnerability information." In a follow-up interview, Shaul said that all the vulnerabilities yield full control of ASE. So far, the firm has no evidence either way about whether the vulnerabilities are being actively exploited.
In a statement, Sybase, which was acquired by SAP in 2010, acknowledged the situation and said a new round of fixes are expected to be ready within six weeks.