Advisory
On 08.09.2015 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Sybase platform.
SAP Note 2201710 addresses "Fixing Logjam and Alternative chains certificate forgery vulnerabilities in multiple SAP Sybase products" to prevent certificate spoofing with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specification
An unauthenticated attacker could downgrade vulnerable TLS connections or cause certain checks on untrusted certificates to be bypassed, such as the CA flag, enabling them to use a valid leaf certificate to act as a CA and "issue" an invalid certificate. This may lead to a successful certificate spoofing where the attacked may impersonate users or servers.Solution
The fixes make sure that no connection downgrading can occur and all certificate checks are properly enforced.
The advisory is valid for
- SBOP DS JOB SERVER 4.2 2
- SYBASE REPLICATION SERVER 15.7.1 2
- SIQ 15.4
- SIQ 16.0 2
- SY_ESP_SERVER 5.1 2
- SYBASE_ESP_ADAPTER_FOR_F.I.X. 5.1 2
- SYBASE_ESP_ADAP_FOR_OPEN_ADAP 5.1 2
- SYBASE_SQL_ANYWHERE_SERVER SQL_12.0
- SYBASE_SQL_ANYWHERE_SERVER SQL_16.0 2
- SYBASE_SQL_ANYWHERE_SERVER 17.0 6
- SYBASE_ESP_STUDIO 5.1 2
- SY_ESP_ADAPTER_NYSE_TECH_MAMA 5.1 2
- SY_ESP_ADAP_TIBCO_RENDEZVOUS 5.1 2
- SY_ESP_ADAPTER_ADOBE_FLEX 5.1 2
- SY_ESP_ADAP_HTTP_OUTBOUND 5.1 2
- SY_ESP_ADAP_LOG_FILE_INPUT 5.1 2
- SY_ESP_ADD_IN_MICROSOFT_EXCEL 5.1 2
- SY_ESP_ADAP_SL_RTVIEW 5.1 2
- SYBASE_ASE_SERVER 15.7 7
- SYBASE_ASE_SERVER 16.0 13
- SYB_ECDA_ODBC_SRVR 15.7
- SYB_ECDA_ORACLE_SRVR 15.7
- SAP_MOBILE_SDK 2.3
- SYBASE POWERBUILDER .NET 12.6
- SYBASE_POWERBUILDER_.CLASSIC 12.6
- SYBASE_SOFTWARE_DEVELOPER_KIT 16.0
- SYBASE_SOFTWARE_DEVELOPER_KIT 15.7
- SYBASE_OPEN_SERVER 16.0
- SYBASE_OPEN_SERVER 15.7
- SYBASE_OPENSWITCH 15.1
- SMART_DATA_STREAM 1.0
- COMPLEX ASSEMBLY MANUF. SOL. 72
- SYCLO 332_700