===================================================================== CERT-Renater Note d'Information No. 2013/VULN247 _____________________________________________________________________ DATE : 19/06/2013 HARDWARE PLATFORM(S): / OPERATING SYSTEM(S): Systems running EAServer versions 6.3.1, 6.2 prior to 6.3.1 SP01 PL07, 6.2 SP01 PL06. ====================================================================== http://www.sybase.com/detail?id=1099353 ______________________________________________________________________ Urgent from SAP & Sybase: Possible security vulnerabilities in EAServer 6.3.1 and 6.2 Summary: This document describes three situations where SAP EAServer 6.3.1 and 6.2 versions exhibit possible security vulnerabilities. The first vulnerability could allow an attacker to access all deployed applications in SAP EAServer; the second could allow an attacker to list all directories and display arbitrary files on the affected system; the third could allow an attacker to retrieve the credentials from configuration files and run OS commands using the WSH service. These vulnerabilities are resolved by applying an EBF. SAP recommends that customers update their EAServer installation as soon as possible. The EBFs are available from the EBFs Download Area of the SAP website. Contents This document contains the following sections: Customer Alert Recommendation Customer Alert These three security vulnerabilities have been identified in SAP EAServer. SAP is making this announcement proactively. These issues were reported to us by an external security researcher. There have been no reported exploits of this vulnerability, and to date it has not been reported by a SAP customer. SAP, Inc. appreciates the efforts of the external security researcher to continually strengthen software throughout the industry by monitoring and testing. These are considered vulnerabilities with medium to high severity and risk. Accessing all deployed applications vulnerability could allow an attacker to access all deployed applications in SAP EAServer. This condition can result in accessing and running other applications in SAP EAServer. This is applicable to EAServer versions 6.3.1 and 6.2. Listing all directories and files vulnerability in SAP EAServer could allow an attacker to read arbitrary files on the affected system. This condition can result in information disclosure. This is applicable to EAServer version 6.3.1 only. The WSH service vulnerability in SAP EAServer could allow an attacker to retrieve the credentials from configuration files and run OS commands. This condition can result in running an illegal OS command. This is applicable to EAServer version 6.3.1 only. Recommendations Corrective Action Update to the latest EBFs for either version 6.3.1 and 6.2, as detailed in the table below. Fixed Versions Versions of EAServer from 6.3.1 SP01 PL07 contain the fixes to correct these three Vulnerabilities. Versions of EAServer from 6.2 SP01 PL06 contain the fixes to correct these three Vulnerabilities. Tracking SAP is tracking these issues under Message 220463, 221142, 221460 and CR#735939. These CRs are fixed in the following EBFs. Platform 6.3.1 EBF# 6.2 EBF# Windows (x86) 32-bit 21178 21183 Sun Solaris (x86) 32-bit 21179 21184 Linux (x86) 32-bit 21180 21185 HP-UX (Itanium) 32-bit 21181 21186 IBM AIX (Power) 32-bit 21182 21187 Customers using SAP EAServer should use the appropriate EBF for their platform from the list above. For customers that have an EAServer 6.x version prior to 6.3.1, first upgrade to EAServer version 6.3.1 ESD#5 and then apply the corresponding EBF above. Downloads Irrespective of if you have already been migrated to SAP Support or not you can still obtain the EBFs above from the Sybase EBFs and Maintenance site. If you have already been migrated to SAP support you can also obtain them from the SAP Service Marketplace. This will only work if you have already received your S-User credentials and are able to log in. Sybase EBF Download Site - http://downloads.sybase.com/ Sybase Portal on SAP Service Marketplace - http://service.sap.com/sybase/support Follow the instructions in the EBF cover letter to install the EBF. If you have not yet been migrated to SAP Support and you require further assistance please contact your local Sybase Support Center. The contact numbers can be found in the About Support section under Support & Services at the www.sybase.com website. http://www.sybase.com/contactus/support If you have already been migrated to SAP Support please contact the Customer Interaction Centre. Contact details are accessed via the Contact Us box located on the right hand side of the screen within the Sybase Portal on SAP Service Marketplace. http://service.sap.com/sybase/support Copyright 2013 Sybase, Inc. All rights reserved. DOCUMENT ATTRIBUTES Last Revised: Jun 17, 2013 Product: EAServer Business or Technical: Technical Content Id: 1099353 Infotype: Urgent Notice ====================================================================== ========================================================= Serveur de référence du CERT-Renater https://services.renater.fr/ssi/ ========================================================== + CERT-RENATER | tel : 01-53-94-20-44 + + 23 - 25 Rue Daviel | fax : 01-53-94-20-41 + + 75013 Paris | email: cert@support.renater.fr + ==========================================================