Reporting servers show a 'sql anywhere' vulnerability requiring -sb option

book

Article ID: 40145

calendar_today

Updated On:

Products

CA Risk Analytics CA Secure Cloud SaaS - Arcot A-OK (WebFort) CLOUDMINDER ADVANCED AUTHENTICATION CA Secure Cloud SaaS - Advanced Authentication CA Secure Cloud SaaS - Identity Management CA Secure Cloud SaaS - Single Sign On

Issue/Introduction

Problem: 

A vulnerability scan reports the following security issue:

1)Finding:
- The remote Sybase SQL Anywhere / Adaptive Server Anywhere database is
configured to listen for client connection broadcasts, which allows an
attacker to see the name and port that the Sybase SQL Anywhere /
Adaptive Server Anywhere server is running on.
- Recommendation:
Switch off broadcast listening via the '-sb' switch when starting
Sybase.
- Database name: server120_rptDatabase port: 3306

2)The script "sawatartup.sh" which is a part of reporting server
installation and used to start SQLAnywhere database, per CA Instructions:

=====================================================================
[[email protected] bobje]# vi sawstartup.sh
#! /bin/bash
# The Install Directory
# Workaround for faulty dirname on Solaris 9 with certain locales.
SAVE_LC_ALL="${LC_ALL}"
SAVE_LC_CTYPE="${LC_CTYPE}"
SAVE_LC_MESSAGES="${LC_MESSAGES}"
SAVE_LC_COLLATE="${LC_COLLATE}"

# LC_ALL must be unset since it can override LC_COLLATE
LC_ALL=""; export LC_ALL
# LC_CTYPE and LC_MESSAGES can affect the output of dirname so their values
should not be changed by unsetting LC_ALL.
if [ "${SAVE_LC_ALL}" != "" ]; then
LC_CTYPE="${SAVE_LC_ALL}"; export LC_CTYPE
LC_MESSAGES="${SAVE_LC_ALL}"; export LC_MESSAGES
fi
# dirname returns invalid result when LC_COLLATE is set to one of
# [email protected], [email protected], [email protected], [email protected],
[email protected]
LC_COLLATE="C"; export LC_COLLATE

TEMPDIR=`dirname $0`
BOBJEDIR=`cd "$TEMPDIR"; pwd`
export BOBJEDIR
# Restore original environment to ensure this doesn't cause any other
problems.
LC_ALL="${SAVE_LC_ALL}"; export LC_ALL
LC_CTYPE="${SAVE_LC_CTYPE}"; export LC_CTYPE
LC_MESSAGES="${SAVE_LC_MESSAGES}"; export LC_MESSAGES
LC_COLLATE="${SAVE_LC_COLLATE}"; export LC_COLLATE

# setup the environment
. "$BOBJEDIR"/setup/env.sh

. "$BOBJEDIR"/setup/env-locale.sh

. "$BOBJEDIR"/SQLAW/Bin/sa_config.sh

# start the SQLANY12 server
cd "${BOBJEDIR?}"
echo "STARTING SQL AnyWhere12 SERVER"
#echo $BOBJEDIR
"${BOBJEDIR?}"/SQLAW/Bin/dbspawn -f dbsrv12 -ud -x tcpip{"PORT=3306"} -c 8m
-n BOE120_bouser "$BOBJEDIR/SQLAW/Bin/BOE120"
"$BOBJEDIR/SQLAW/Bin/BOE120_AUDIT"

 

Solution:

Adding –sb option is acceptable and will not affect the CABI functionality. Here are the instructions for adding the -sb option:

1. Switch to bobje or the equivalent user who is the owner of CABI installation. Go to /opt/CA/SharedComponents/CommonReporting3/bobje (or equivalent).

2. source setup/env.sh ; ./stopservers ; ./sawstop.sh ; vi sawstartup.sh

3. In this file modify the last line as below.

  Original:

"${BOBJEDIR?}"/SQLAW/Bin/dbspawn -f dbsrv12 -ud -x tcpip{"PORT=3306"} -c 8m -n BOE120_bansr02 "$BOBJEDIR/SQLAW/Bin/BOE120" "$BOBJEDIR/SQLAW/Bin/BOE120_AUDIT"

  Modified:

"${BOBJEDIR?}"/SQLAW/Bin/dbspawn -f dbsrv12 -ud -x tcpip{"PORT=3306"} -c 8m -n BOE120_bansr02 "$BOBJEDIR/SQLAW/Bin/BOE120" "$BOBJEDIR/SQLAW/Bin/BOE120_AUDIT" -sb 0

4. Save and close the file.

5.   ./sawstartup.sh

6.   ./startservers

Notes: 

Using -sb 0 causes the server not to start up any UDP broadcast listeners. In addition to forcing clients to use the DoBroadcast=NONE and HOST= options to connect to the server, this option causes the server to be unlisted when using dblocate.

Using -sb 1 causes the server to not respond to broadcasts from dblocate, while leaving connection logic unaffected. You can connect to the server by specifying LINKS=tcpip and ENG=name.

Environment

Release: CLDIDM99000-1.5-Identity Manager SaaS-for Business Users
Component: