Enterprise software and services company Sybase has again patched holes in its Adaptive Server Enterprise (ASE) product, fixing a handful of database vulnerabilities that could have allowed a hacker to execute code and bypass security parameters on the company’s main database server product.
As they’ve done before, Sybase worked with researchers from TeamSHATTER, the research and development arm of AppSec, a New York City-based database security firm, to address the issues. This time around the vulnerabilities were highlighted by the company’s Technical Leads, Esteban Martinex Fayo and Martin Rakhmanov.
Sybase issued the nine patches for the product on Wednesday via an urgent customer notice.
According to that notice, some of the vulnerabilities in ASE could have allowed a user to “acquire the server’s ‘SA’password,” circumvent Java security, execute arbitrary code, denial of service (Dos) attacks and SQL injections. The update affects three builds of ASE: 15, 15.5 and 15.7.
“Sybase has worked diligently to fix security flaws in the ASE line, and customers should immediately deploy these patches to ensure systems are not left open to attack,” warned Alex Rothacker, Director of Security Research, AppSecInc’s TeamSHATTER.
Last summer researchers from TeamSHATTER identified a dozen problems with ASE 10.0.3, sending proof-of-concept exploits, along with vulnerability details to the SAP-owned Sybase. It was thought that Sybase had properly patched the problems, but in actuality, it only fixed two of the 12. In some cases it was found the company blocked some exploit code but failed to fix the corresponding vulnerabilities.