WARNING! An issue stemming from a bug in the Sun JDK version 1.4.2 on UNIX and Linux platforms can expose passwords used in various scenarios to at risk of being discovered.
EAServer Manager allows users to see connection caches, via a dialogue box, which have passwords in them. Under normal circumstances these passwords cannot be seen, however due to a security issue in Sun’s JDK 1.4.2, a user with guest permission to EAServer Manager can discover the password stored in a connection cache. This password could then be used to gain unauthorized access to a protected database. EAServer 5.2 and 5.3, and products that embed them, are affected by this issue. In order to exploit this issue with an EAServer connection cache a user has to have a valid login for EAServer Manager. This includes the guest login.
Download and install the appropriate Sybase EBF files listed in Table 1 to addresses this problem.
Product |
Version |
Platform |
EAS version |
EBF no. |
|---|---|---|---|---|
EAServer |
5.2 |
Solaris |
N/A |
13238 |
EAServer |
5.2 |
Linux |
N/A |
13507 |
EAServer |
5.2 |
AIX |
N/A |
13508 |
EAServer |
5.2 |
HP-UX |
N/A |
13509 |
To use the messaging services feature of Adaptive Server, you must install EAServer JMS, TIBCO EMS, or IBM MQ on your machine.
For detailed information on the features and functions of messaging services, see the Messaging Services User’s Guide for Adaptive Server Enterprise.
