Known Issues for Security

HTTPS port has SSLv3/TLS renegotiation vulnerability

The Sybase Control Center HTTPS port (default value is 8283) is susceptible to the SSLv3/TLS renegotiation vulnerability. The way in which SSL and TLS protocols handle renegotiation requests may allow an attacker to inject plaintext into an application protocol stream, resulting in a situation where the attacker may be able to issue commands to the server that appear to be coming from a legitimate source.

Workaround: Fixed in 2.3 SP04. Upgrade is recommended.

SiteMinder external cookie scenario not supported for REST SDK Application on boarding with Sybase Unwired Platform using external SiteMinder SMSESSION cookie is not supported using REST SDK.

Workaround: Application can use basic authentication with SiteMinder and onboard with SUP.

Unwired Server restart is needed after changing truststore or keystore.

Workaround: If you change anything relating to keys or certificates in the truststore or keystore, you must always restart the server. Changes only take effect after a server restart.

A user with the "SUP Helpdesk" role can execute all DOE-C package operations using the command line utility, including modify operations such as deploying DOE-C packages or setting DOE-C endpoint properties.

Help desk operators should not be able to perform modify operations.

Workaround: Prevent direct or remote access to Unwired Server for users with the "SUP Helpdesk" role.

External authentication token is not properly handled by iOS Hybrid Web Container (HWC).

Workaround: For an external token to be passed to and used by iOS Hybrid Web Container for performing single sign-on (SSO), make the call to setHttpHeaders before starting the client engine by placing [self setHttpHeaders] in the first line in the startEngine function. See Setting HTTP Headers in Developer Guide: Mobile Workflow Packages.