Vulnerability of ASE 12.5.2 vs ASE 12.5.3 ESD#3

Recently, Application Security, Inc. has run a vulnerability test on our 
ASE12.5.2. The program gave a 'high risk' on the ASE12.5.2 and suggested we 
install the latest Sybase patch 12.5.3 ESD#3.

I have some question on the recommendation.
1. The latest patch is definitely not 12.5.3 ESD#3. Why did the program 
recommend 12.5.3 ESD#3? Isn't 12.5.4 better than 12.5.3?
2. Is it practical to keep up with the latest releases or patches? Now if we 
upgrade to 12.5.4 and then rerun the vulnerability test, will the program 
suggest that newer version is better with respect to security vulnerability?

Can any one share some thoughts? Thanks in advance.




0
Audrey
7/14/2008 7:51:10 PM
sybase.ase.upgrades+migration 687 articles. 0 followers. Follow

3 Replies
1028 Views

Similar Articles

[PageSpeed] 16

NOTE:  I have no idea what 'Application Security' is or how it works.

I'd guess that you've got a version of Application Security that only knows about ASE up through ASE 12.5.3 ESD #3 (or 
thereabouts); alternatively, the folks who wrote Application Security aren't up-to-date on the latest versions of ASE.

Then again, *what* exactly are they measuring/testing to come up with their 'high risk' score?  There are lots of 
different ways to slice-n-dice the term 'security' ... so what exactly is their definition of security and how are they 
measuring it?

As for what will happen if you upgrade to ASE 12.5.4 ... *shrug* ... I'd suggest you run that past the folks who wrote 
'Application Security'.


Audrey Won wrote:
> Recently, Application Security, Inc. has run a vulnerability test on our 
> ASE12.5.2. The program gave a 'high risk' on the ASE12.5.2 and suggested we 
> install the latest Sybase patch 12.5.3 ESD#3.
> 
> I have some question on the recommendation.
> 1. The latest patch is definitely not 12.5.3 ESD#3. Why did the program 
> recommend 12.5.3 ESD#3? Isn't 12.5.4 better than 12.5.3?
> 2. Is it practical to keep up with the latest releases or patches? Now if we 
> upgrade to 12.5.4 and then rerun the vulnerability test, will the program 
> suggest that newer version is better with respect to security vulnerability?
> 
> Can any one share some thoughts? Thanks in advance.
> 
> 
> 
> 
0
Mark
7/14/2008 8:37:58 PM
Audrey Won wrote:
> Recently, Application Security, Inc. has run a vulnerability test on our 
> ASE12.5.2. The program gave a 'high risk' on the ASE12.5.2 and suggested we 
> install the latest Sybase patch 12.5.3 ESD#3.
> 
> I have some question on the recommendation.
> 1. The latest patch is definitely not 12.5.3 ESD#3. Why did the program 
> recommend 12.5.3 ESD#3? Isn't 12.5.4 better than 12.5.3?
> 2. Is it practical to keep up with the latest releases or patches? Now if we 
> upgrade to 12.5.4 and then rerun the vulnerability test, will the program 
> suggest that newer version is better with respect to security vulnerability?
> 
> Can any one share some thoughts? Thanks in advance.

This particular recommendation is probably based on
this urgent customer notification we sent out back in 2005...

http://www.sybase.com/detail?id=1034520

Yes, 12.5.4 should be better than 12.5.3.  And a recent
12.5.4 rollup should be better than the initial 12.5.4.

Urgent customer notifications are unusual; I would certainly
recommend getting above the version recommended in the notification.
There are reasons for being on more recent rollups then that,
but in general not so much for security reasons.

Is it practical to keep up with the latest rollups?
That is actually a difficult question, and depends a great
deal on your environment.  Some of my customers have very
long test cycles (which is a good thing), but it means
they don't tend to test and apply new rollups very often
(which isn't so great).  Many other customers have no problem
downloading and applying rollups as they are released.

I have no idea what this program will do if run on a newer
version.

-bret
0
Bret
7/15/2008 7:23:43 PM
I will take your recommendation.
Thanks.

"Bret Halford" <bret@sybase.com> wrote in message 
news:487cf93f$1@forums-1-dub...
> Audrey Won wrote:
>> Recently, Application Security, Inc. has run a vulnerability test on our 
>> ASE12.5.2. The program gave a 'high risk' on the ASE12.5.2 and suggested 
>> we install the latest Sybase patch 12.5.3 ESD#3.
>>
>> I have some question on the recommendation.
>> 1. The latest patch is definitely not 12.5.3 ESD#3. Why did the program 
>> recommend 12.5.3 ESD#3? Isn't 12.5.4 better than 12.5.3?
>> 2. Is it practical to keep up with the latest releases or patches? Now if 
>> we upgrade to 12.5.4 and then rerun the vulnerability test, will the 
>> program suggest that newer version is better with respect to security 
>> vulnerability?
>>
>> Can any one share some thoughts? Thanks in advance.
>
> This particular recommendation is probably based on
> this urgent customer notification we sent out back in 2005...
>
> http://www.sybase.com/detail?id=1034520
>
> Yes, 12.5.4 should be better than 12.5.3.  And a recent
> 12.5.4 rollup should be better than the initial 12.5.4.
>
> Urgent customer notifications are unusual; I would certainly
> recommend getting above the version recommended in the notification.
> There are reasons for being on more recent rollups then that,
> but in general not so much for security reasons.
>
> Is it practical to keep up with the latest rollups?
> That is actually a difficult question, and depends a great
> deal on your environment.  Some of my customers have very
> long test cycles (which is a good thing), but it means
> they don't tend to test and apply new rollups very often
> (which isn't so great).  Many other customers have no problem
> downloading and applying rollups as they are released.
>
> I have no idea what this program will do if run on a newer
> version.
>
> -bret 


0
Audrey
7/17/2008 2:49:48 PM
Reply:

Similar Artilces:

Migration from ASE-64 bits 12.5.0.2 to ASE 64 bits 12.5.3 for AIX 5.3
Here there someone to indicate me the road tasks in order to migrate an ASE 12.5.0.2 to ASE 12.5.3 on unix 5.3 ? (64 bits) Thank you kamel wrote: > Here there someone to indicate me the road tasks in order to > migrate an ASE 12.5.0.2 to ASE 12.5.3 on unix 5.3 ? (64 > bits) > > Thank you Apply 12.5.2 IR then 12.5.3 esd 5. -- Jason L. Froebe http://jfroebe.livejournal.com http://www.propsmart.com Team Sybase On Tue, 31 Jan 2006 07:18:22 -0800, kamel wrote: > Here there someone to indicate me the road tasks in order to migrate an > ASE 12.5.0.2 ...

Upgrade ASE 12.0/64 bit on AIX 4.3.3 to ASE 12.5.x/64 bit on AIX 5.2
Trying to find what is the supported upgrade path for the above. Going from 12.0/64bit on AIX 4.3.3 to 12.5 (or 12.5.x) 64bit on AIX 5.2. If I put AIX 5.2 , the dataserver binary of 12.0 will not work which is used during the upgrade. If I put 12.5.x on 4.3.3, the dataserver binary will not work beacuse it is new binary for 5.2. Other than backup the databases and load them to the new server, is there a supported how to upgrade? Thanks! ...

Same machine: ASE 12.5.3 Linux vs ASE 12.5.3 Windows
We had a report from one of our clients recently that our Sybase ASE-based app was running slowly on their new Linux box. As we develop internally against ASE on Windows we thought it would be an interesting test to install both the Windows and Linux flavors of ASE 12.5.3 onto the same server and look at the relative performance. We used a Dell PowerEdge 1950 with 2 x Intel Xeon 3.73GHz dual core processors. On one drive we put SuSE Enterprise Linux Server 10 x86-64, and on the other we put Windows Server 2003 Std R2 64-bit edition. Both were fresh-off-the-CD OS installs. ...

ASE 12.5.2 to ASE 12.5.0.3
Hello, I have to return to ASE 12.5.0.3 from ASE 12.5.2. I created a new server and did a dump/load of a user database and that seems to be fine. Is this a safe way to downgrade ? Is it necessary to create a new server (master database) or should it also be possible to shutdown the 12.5.2 server and start it again with the 12.5.0.3 binary ? Thanks, Luc. ...

Dump/Load (from ASE 12.5.4 to ASE 15.x) - VS.
Hi All, We are in the process of planning the upgrade of our ASE 12.5.4 dataservers to ASE 15.x. What is the most recommended way to upgrade ASE dataservers from ASE 12.5.4 to ASE 15.x? Potential options: 1) Install new instances of ASE 15.x and load database dumps from our ASE 12.5.4 dataservers to the newly installed ASE 15.x dataservers. - OR - 2) Use the ASE upgrade utility (sqlupgrade) to upgrade our existing ASE 12.5.4 dataservers to ASE 15.x. What are the Pros vs. Cons for loading a 12.5.4 database into a 15.x ASE dataserver versus performing an ASE dataserv...

Dump on ASE 12.5.2 and Load on ASE 12.5.3
Is possible to make one dump database in ASE 12.5.2 and later making one load of this archive in ASE 12.5.3? It is possible to dump a database in 12.5.2 and load it onto 12.5.3. -bret Leandro wrote: > Is possible to make one dump database in ASE 12.5.2 and > later making one load of this archive in ASE 12.5.3? I recently dumped from 12.0 & loaded to 12.5, was pleasantly surprised the load process upgraded the database automatically. <Leandro> wrote in message news:425d7e31.7943.1681692777@sybase.com... > Is possible to make one dump database in ASE 12...

ASE 12.5.2 or ASE 12.5.3 on Solaris 10
Hi there! Have anyone found whitepapers or documentation regarding ASE on Solaris 10? I have tried to search around on sybase.com, but without any luck. I'm particulary looking into zones/containers with ASE and if there is any issues regarding this. Any help is much appreciated. ..prn Hi, As for as i known there aren't whitepapers or docu. I have a couple of boxes with ASE in a zone. So if you have questions mail me. Sjaak Preben Olsen wrote: > Hi there! > > Have anyone found whitepapers or documentation regarding ASE > on Solaris 10? I h...

Does ASE 12.5.3 IR is a EBF for ASE 12.5.2?
This is a multi-part message in MIME format. --------------090403060603000107000502 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit I noticed that release description of ASE 12.5.3 like the following: *Product Name: * Adaptive Server Enterprise *Platform: * Win NT *Release Version: * 12.5.2 *Release Description: * EBF 12150: 12.5.3 IR *Release Date: * 01 Dec 2004 So it seems that it's a EBF of ASE 12.5.2. But it seems not possible to download it. :( What's the matter? Must pay for that? Best Regards FlyBe...

Upgrade from ASE 12.5.0.3 to ASE 12.5.1
This is a multi-part message in MIME format. ---=_forums-2-dub3ff97039 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Hi, I've just upgraded from ASE 12.5.0.3 to ASE 12.5.1. I tried to start the server, but it won't startup. Here is the message: sybase(ASE1250)328 /app/sybase/ASE-12_5/install --> startserver -f RUN_AMXDB sybase(ASE1250)329 /app/sybase/ASE-12_5/install --> 00:00000:00000:2004/01/05 21:37:44.10 kernel Use license file /app/sybase/SYSAM-1_0/licenses/license.dat. 00:00000:00000:2004/01/05 21:37:44.10 ker...

ASE 12.5 to ASE 12.5.3
One of our client is having 3 no license for ASE 12.5 on Win2K (running 3 production servers) and not in the support/AMC with Sybase.. is client eligible to use ASE 12.5.3 ? Thanks KRV ...

ASE 12.5.0.3 to ASE 12.5.4 upgrade path
I would like to know if the migration from ASE 12.5.0.3 to 12.5.4 a direct migration or is there an intermediate upgrade to be performed in between? Take a look at the release bulletins and installation guides for your platform. These are the first steps to any upgrade. http://sybooks.sybase.com/nav/detail.do?docset=1287 <passerby> wrote in message news:484e9ca8.3f0d.1681692777@sybase.com... >I would like to know if the migration from ASE 12.5.0.3 to > 12.5.4 a direct migration or is there an intermediate > upgrade to be performed in between? ...

Upgrading ASE 11.9.2 to ASE 12.5 on Aix 4.3.3
After migration from ASE 11.9.2 to ASE 12.5, the following error appears when I try to execute a strore procedure : Size of row in the worktable for grouped aggregate, 16542 bytes, exceeds the maximum row size (1962 bytes). Cannot run this query (return status = -6). Is it a bug on ASE 12.5? Why could I run correctly this procedure on the old version? Fabien DUBOIS Fabien DUBOIS wrote: > > After migration from ASE 11.9.2 to ASE 12.5, the following error appears > when I try to execute a strore procedure : > > Size of row in the worktable for grouped aggr...

Migration : ASE V12 (HP UX 11) to ASE V 12.5.3 (AIX 5.3)
Hi, I have to migrate a DB ASE 12.0.0.8 from HP (HP UX 11) to ASE 12.5.3 (IBM AIX 5.3) here are the characteristics: HP UX ------ The default Unix charset on the platform is Roman8. The ASE/db Charset is UTF8 AIX (5.3) --- The default Unix charset on the platform is Iso The ASE/db Charset will be UTF8 Someone told me Cross-platform DUMP/RELOAD is not possible. note that I didn't try it yet, but i will. Does anyone know about that ? If this is not possible i'll have to use 'bcp' IN/OUT i guess ? but i dont know exactly what syntax i should use w...

Migration : ASE V12 (HP UX 11) to ASE V 12.5.3 (AIX 5.3)
Hi, I have to migrate a DB ASE 12.0.0.8 from HP (HP UX 11) to ASE 12.5.3 (IBM AIX 5.3) here are the characteristics: HP UX ------ The default Unix charset on the platform is Roman8. The ASE/db Charset is UTF8 AIX (5.3) --- The default Unix charset on the platform is Iso The ASE/db Charset will be UTF8 Someone told me Cross-platform DUMP/RELOAD is not possible. note that I didn't try it yet, but i will. Does anyone know about that ? If this is not possible i'll have to use 'bcp' IN/OUT i guess ? but i dont know exactly what syntax i should use w...

Web resources about - Vulnerability of ASE 12.5.2 vs ASE 12.5.3 ESD#3 - sybase.ase.upgrades+migration

Vulnerability (computing) - Wikipedia, the free encyclopedia
In computer security , a vulnerability is a weakness which allows an attacker to reduce a system's information assurance . Vulnerability is the ...

Facebook Fixing Vulnerability That Would Prohibit Users From Revoking App Permissions
Facebook is working to remedy a vulnerability discovered by application security provider MyPermissions , which blocks users of the social network ...

Search Twitter - xss vulnerability
... incog @ xssineverything X-Line @ XLine0fficiel View more people Top news story The Next Web @ TheNextWeb 3h TweetDeck users: An XSS vulnerability ...

Staged cyber attack reveals vulnerability in power grid - YouTube
http://frgdr.com/blog/ From CNN's Jeanne Meserve WASHINGTON (CNN) Researchers who launched an experimental cyber attack caused a generator to ...

Hackers exploit 'Flash' vulnerability in Yahoo ads
For seven days, hackers used Yahoo's ad network to send malicious bits of code to computers that visit Yahoo's collection of heavily trafficked ...

Wrong and right of Tony Abbott's policy vulnerability
As debate builds over the Coalition government, conservative voices weigh in with their concerns.

Researchers find vulnerability in EA's Origin platform - online safety, ReVuln, electronic arts, security ...
Users of Origin, the game distribution platform of Electronic Arts (EA), are vulnerable to remote code execution attacks through origin:// URLs, ...

No vulnerability about Sydney now
No vulnerability about Sydney now

Researcher misinterprets Oracle advisory, discloses unpatched database vulnerability
Instructions on how to exploit an unpatched Oracle Database Server vulnerability in order to intercept the information exchanged between clients ...

Cycling and vulnerability: an issue of inequality
As the car hit my bicycle from behind, a strange thought flashed through my mind.

Resources last updated: 1/21/2016 6:25:40 AM