|
|
|
|
| |
Credit:
The information has been provided by Oliver Karow.
The original article can be found at: http://www.symantec.com/enterprise/research/SYMSA-2006-009.txt
|
| |
SAP-DB/MaxDB is a heavy-duty, SAP-certified open source database for OLTP and OLAP usage which offers high reliability, availability, scalability and a very comprehensive feature set. It is targeted for large mySAP Business Suite environments and other applications that require maximum enterprise-level database functionality and complements the MySQL database server.
A remotely exploitable vulnerability exists in MaxDB's WebDBM. Due to an input validation error, it is possible to execute arbitrary code with the privileges of the 'wahttp' process by sending a malformed HTTP request. Authentication is not required for successful exploitation to occur.
Vendor Response:
The above vulnerability has been fixed in the latest release of the product, MaxDB 7.6.00.31.
Licensed and evaluation versions of MaxDB are available for download in the download section of www.mysql.com/maxdb:
http://dev.mysql.com/downloads/maxdb/7.6.00.html.
If there are any further questions about this statement, please contact mysql-MaxDB support.
Please note that SAP customers receive their downloads via the SAP Service Marketplace www.service.sap.com and must not use downloads from the addresses above for their SAP solutions.
Recommendation:
The vendor has released MaxDB 7.6.00.31 to address this issue. Users should contact the vendor to obtain the appropriate upgrade.
As a temporary workaround the SAP-DB WWW Service should either be disabled or have access to it restricted using appropriate network or client based access controls.
CVE Information:
CVE-2006-4305
|
|
|
|
|
