SAP takes the security of its products very seriously. The recent OpenSSL vulnerability known as Heartbleed does impact some users of SQL Anywhere.
Here are the details:
Affected Components
- SQL Anywhere Server – If you use TLS (Transport Layer Security) communications and/or HTTPS web services they are vulnerable, though only to the networks that can access the server. Note that calling external web services over HTTPS from the database server is also affected.
- MobiLink Server – If you use TLS and/or HTTPS communications they are vulnerable, though only to the networks that can access the MobiLink server
- Relay Server Outbound Enabler
Affected Versions - note that all platforms are impacted by this issue.
- SQL Anywhere 12.0.1 ebf 3994-4098
- SQL Anywhere 16.0 ebf 1690-1880
Current Workaround
- To avoid being exposed due to this problem, you can revert to an ebf/SP prior to the ones listed above, or to the GA release.
- Regenerate any certificates that you were using.
- Change any passwords/keys associated with SQLA web service calls or TLS authentication.
Resolution
- Download and apply SQL Anywhere 12.0.1 ebf 4099 or newer and/or SQL Anywhere 16.0 ebf 1881 or newer when it becomes available. A further announcement will be made when the patch is available
- Regenerate any certificates that you were using.
- Change any passwords/keys associated with SQLA web service calls or TLS authentication.
In addition, here is the text of the latest response (as of this posting) from the SAP security team, released earlier today on service marketplace (http://service.sap.com/securitynotes):
Deficiencies in releases of OpenSSL libraries
SAP takes any security-related report very seriously. We will notify our customers appropriately as relevant new information on this topic becomes available.
We take the opportunity to remind you to increase the security of your SAP systems by installing the available security patches. For information on SAP’s security notes and patches, please go to the SAP Security Notes page on the SAP Service Marketplace extranet at https://service.sap.com/securitynotes.
SAP has received information about security deficiencies in some releases of OpenSSL libraries, used in a number of software products of different vendors. These deficiencies are referred to under the name of the “Heartbleed” vulnerability (CVE-2014-0160, see http://heartbleed.com). SAP security teams are in the process of investigating if products are possibly affected by the reported vulnerability. At the current state of investigations we have no indications that SAP NetWeaver and SAP HANA are affected.
We take the opportunity to remind you to increase the security of your SAP systems by installing the available security patches. For information on SAP’s security notes and patches, please go to the SAP Security Notes page on the SAP Service Marketplace extranet at https://service.sap.com/securitynotes.