Close

HAVE QUESTIONS?

Contact us today.

Subscribe me to your mailing list

[ERPSCAN-15-010] Sybase SQL Anywhere 11 and 16 – DoS

Application: Sybase SQL Anywhere 11 and 16
Vendor URL: http://www.sybase.com
Bugs: DoS
Reported: 09.12.2014
Vendor response: 10.12.2014
Date of Public Advisory: 15.03.2015
Reference: SAP Security Note 2108161
Authors: Vahagn Vardanyan (ERPScan)

VULNERABILITY INFORMATION

Class: DoS [CWE-122]
Impact: DoS
Remotely Exploitable: Yes
Locally Exploitable: No
CVE Name: CVE-2015-2819

Business Risk

It is possible to use a denial of service vulnerability to terminate the process of the vulnerable component. As a result, nobody can use this service, which negatively affects business processes. System downtime also harms business reputation.

Description

An anonymous attacker can use a special request to crash the Sybase SQL Anywhere process on the server.

VULNERABLE PACKAGES

SYBASE SQL Anywhere 12 and 16
Other versions are probably affected too, but they were not checked.

SOLUTIONS AND WORKAROUNDS

To correct this vulnerability, install SAP Security Note 2108161.

TECHNICAL DESCRIPTION

An anonymous attacker can use a special request to crash the Sybase SQL Anywhere process on the server.

Proof of concept

Defense

To prevent this issue as well as a plethora of other vulnerabilities that may affect your systems, ERPScan provides the following services: