Currently Being Moderated

***Update (June 26, 2014):  Here is a complete summary of all affected/patched versions of SQL Anywhere that were affected by Heartbleed:

SQL Anywhere 12

Windows/Linux affected versions:  SP 66 - SP 71 (12.0.1.3994 - 12.0.1.4109)

Windows/Linux patched versions: SP 74 (12.0.1.4110) and later


UNIX platforms affected versions: SP 66 - SP 70 (12.0.1.3994 - 12.0.1.4085)
UNIX platforms patched versions: SP 71 (12.0.1.4086) and later


MacOS affected versions: SP 67 (12.0.1.3994 - 12.0.1.4105)

MacOS patched versions: SP 73 (12.0.1.4106)


SQL Anywhere 16

Windows affected versions: SP 6 - SP 11 (16.0.1690 - 16.0.1914)

Windows patched versions: SP 14 (16.0.1915)


Linux affected versions: SP 6 - SP 11 (16.0.1690 - 16.0.1910)

Linux patched versions: SP 13  (16.0.1911)


UNIX platforms affected versions: SP 6 - SP 9 (16.0.1690 - 16.0.1880)
UNIX platforms patched versions: SP 11 (16.0.1824)


MacOS affected versions: SP 6 - SP 9 (16.0.1690 - 16.0.1880)

MacOS patched versions: SP 12 (16.0.1894)



***Update (May 26, 2014):  Further changes were required to fully resolve the security vulnerability known as Heartbleed.

All Linux users concerned about Heartbleed should update to 12.0.1 SP74 (Build 4110) or newer and/or 16.0 SP13 (Build 1911) or newer.

Windows users who use the FIPS option or who are using LDAP authentication should update to 12.0.1 SP72 (Build 4104) or newer and/or 16.0 SP14 (Build 1915) or newer.



***Update (April 21, 2014): A new ebf/SP for SQL Anywhere versions 12 and 16 on Windows and Linux platforms which removes this vulnerability has been posted for download to the SQL Anywhere ebf/SP download site.  Fixes for other platforms will be released after they complete internal testing.

 

SAP takes the security of its products very seriously.  The recent OpenSSL vulnerability known as Heartbleed does impact some users of SQL Anywhere.

Here are the details:

 

Affected Components

  • SQL Anywhere Server – If you use TLS (Transport Layer Security) communications and/or HTTPS web services they are vulnerable, though only to the networks that can access the server.  Note that calling external web services over HTTPS from the database server is also affected.
  • MobiLink Server – If you use TLS and/or HTTPS communications they are vulnerable, though only to the networks that can access the MobiLink server
  • Relay Server Outbound Enabler

 

Affected Versions - note that all platforms are impacted by this issue.

  • SQL Anywhere 12.0.1 ebf 3994-4085
  • SQL Anywhere 16.0 ebf 1690-1823

 

Current Workaround

  • To avoid being exposed due to this problem, you can revert to an ebf/SP prior to the ones listed above, or to the GA release.
  • Regenerate any certificates that you were using.
  • Change any passwords/keys associated with SQLA web service calls or TLS authentication.

 

Resolution

  • Linux: Download and apply SQL Anywhere 12.0.1 SP 74/ebf 4110 or newer and/or SQL Anywhere 16.0 SP 13/ebf 1911 or newer when it becomes available.
  • Windows:  Download and apply SQL Anywhere 12.0.1 SP 72/ebf 4104 or newer and/or SQL Anywhere 16.0 SP 14/ebf 1915 or newer when it becomes available.
  • Regenerate any certificates that you were using.
  • Change any passwords/keys associated with SQLA web service calls or TLS authentication.

 

In addition, here is the text of the latest response (as of this posting) from the SAP security team, released earlier today on service marketplace (http://service.sap.com/securitynotes):

 

Deficiencies in releases of OpenSSL libraries

SAP takes any security-related report very seriously. We will notify our customers appropriately as relevant new information on this topic becomes available.

 

We take the opportunity to remind you to increase the security of your SAP systems by installing the available security patches. For information on SAP’s security notes and patches, please go to the SAP Security Notes page on the SAP Service Marketplace extranet at https://service.sap.com/securitynotes.

 

SAP has received information about security deficiencies in some releases of OpenSSL libraries, used in a number of software products of different vendors. These deficiencies are referred to under the name of the “Heartbleed” vulnerability (CVE-2014-0160, see http://heartbleed.com). SAP security teams are in the process of investigating if products are possibly affected by the reported vulnerability.  At the current state of investigations we have no indications that SAP NetWeaver and SAP HANA are affected.

 

We take the opportunity to remind you to increase the security of your SAP systems by installing the available security patches. For information on SAP’s security notes and patches, please go to the SAP Security Notes page on the SAP Service Marketplace extranet at https://service.sap.com/securitynotes.


If there are any further questions, please don't hesitate to contact SAP support.

Comments

Actions

Filter Blog

By author: By date:
By tag: