Advisory
On 13.08.2024 a security relevant correction has been released by SAP SE. The manufacturer resolves an issue within Sybase platform.
SAP Note 3495876 addresses "[Multiple CVEs] Multiple vulnerabilities in SAP Replication Server (FOSS)" to prevent weak security function / cryptographic algorithm with a medium risk for exploitation.
A workaround does not exist, according to SAP Security Advisory team. It is advisable to implement the correction as part of maintenance, the team suggests.
Risk specification
SAP Replication Server allows an authenticated attacker to leverage a vulnerability during the installation to exploit the system, leading to possible system compromise.Solution
These vulnerable versions of the libraries are upgraded to OpenSSL 1.1.1w and Spring Framework 5.3.31 in below product version: SAP Replication Server 16.0 SP04 PL06 SAP Replication Server 16.0 SP03 PL15 Install the above fixed SAP Replication Server in case you are using the affected product versions. Note that the installer will not remove old installed version of the libraries, customers would need to clean/delete the older version of the library files manually. Below folder or binary could be safely removed after upgrade: Folder: $SYBASE/REP-16_0/lib3p64/openssl (redundant folder) Files: $SYBASE/RMA-16_0/libs/spring/spring-*.jar (version less than 5.3.31) File: $SYBASE/REP-16_0/ASA17/OCS/OCS-16_0/bin/openssl (redundant file if the version is upgraded to SAP Replication Server 16.0 SP04 PL06)
The advisory is valid for
- SYBASE REPLICATION SERVER 16.0 2
- SYBASE REPLICATION SERVER 16.0.3 2
- SYBASE REPLICATION SERVER 16.0.4 2