SAP has patched a vulnerability in the SAP Adaptive Server Enterprise (ASE) product, which is a relational database management system for UNIX, Linux and Microsoft Windows platforms.
The vulnerability, which affected versions 12.5, 15, 15.5, 15.7 and 16, was discovered by security vendor Trustwave last year.
In an advisory, Trustwave said SAP ASE ships with a login named “probe” for the two-phase commit probe process. A flaw in the implementation of the challenge and response mechanism allowed anyone to access the server as “probe” login, and other flaws allowed privilege elvation from regular database user to database administrator. Together these flaws allowed for complete takeover of the database server.
SAP has now patched the vulnerability, with the details published in security note 2113995.
