Database Technology TrendsSecuritySybase

SAP Patches Login Security Flaw in ASE Database

By April 26, 2015 No Comments

First released by Jeremy Kirk, IDG News Service.

This message is for all our clients and everybody else who is running () ASE. According to this message, there is a flaw in the that would allow attackers to take complete .

As per Jeremy’s post:

“SAP patched a flaw on Thursday (4/23/15) that could allow an attacker to take complete control over a database, according to security vendor .

The flaw (CVE-2014-6284) affects SAP’s Enterprise (ASE), a relational database for Unix, Linux and Windows systems, designed for high volumes of data-rich transactions. Vulnerable versions are 12.5, 15, 15.5, 15.7 and 16.”

 

Please keep in mind that SAP only patches ASE versions that are not end of life. You can get the SAP message as a SAP client through this security note. It requires SAP login credentials. SAP has patched ASE 15.7 and 16, and the patches are available for immediate download.

 

Trustwave Statement (Trustwave are Internet Security Experts and SSL )

TrustWave’s , a senior security researcher, found an error in the challenge and response mechanism used to access ASE. The account access gained is not a privileged account, but TrustWave said other flaws allow the privileges to be escalated to that of a .

“Combined with such privilege elevation vulnerabilities, this one allows complete takeover of the database server,” TrustWave said in its advisory.

 

Please contact us at 813 322 3240 or contact us to learn more about how we can protect you from this . Time is of the essence, so don’t wait. Initial consultations with us is always free.

 

 

 

 

Leave a Reply

%d bloggers like this: