Application Server Vulnerability Notice
During routine server testing performed by a customer, a security vulnerability was discovered in the Application Server. This flaw will potentially allow an attacker to obtain sensitive information and is considered to be a high severity issue. This issue was discovered in routine testing and has not been exploited to Alpha Software's knowledge.
Alpha Software recommends that all customers take immediate action as detailed below.
SYSTEMS AFFECTED:
REMEDIATION:
Alpha Anywhere Application Server for IIS
The Alpha Anywhere Application Server for IIS is not subject to this vulnerability. No action is required.
Alpha Anywhere Classic Application Server
A fix for this security vulnerability is available now for build 4770, the most recent official release of Alpha Anywhere Application Server.
Click here to download now.
Additionally, prereleases beginning with build 4940 include this fix.
Prereleases are available from http://aadocuments.s3.amazonaws.com/...easeNotes.Html.
Alpha Five Version 11 Application Server
A fix for this security vulnerability in version 11 is available now for Alpha Five version 11 build 3381. Click here to download now. The downloaded ZIP file contains a single DLL that should be placed into your Application Server installation folder, overwriting the existing DLL file. No changes to your published applications will be required.
Any server operators with a version 11 release prior to build 3381 should update to that release immediately, then apply the above update.
Alpha Five Version 10 and prior
Support for Alpha Five version 10 ended in October 2011, as a result, a fix for this vulnerability will not be released. Any operators with Version 10 or prior servers still in use should upgrade those systems to Alpha Anywhere or Alpha Five version 11 immediately, and then apply the correct update listed above. Otherwise, continue using these unsupported versions at your risk.
Acknowledgments
This vulnerability was discovered while testing was performed on a server hosted at ZebraHost. The discovery was reported by Nate Battles at ZebraHost, who then worked closely with Alpha Software to duplicate the issue and verify the fix. Thank you to Nate Battles and Clive Swanepoel of ZebraHost.
During routine server testing performed by a customer, a security vulnerability was discovered in the Application Server. This flaw will potentially allow an attacker to obtain sensitive information and is considered to be a high severity issue. This issue was discovered in routine testing and has not been exploited to Alpha Software's knowledge.
Alpha Software recommends that all customers take immediate action as detailed below.
SYSTEMS AFFECTED:
- This issue affects the Alpha Anywhere Classic Application Server, the Alpha Five version 11 Application Server, and the Alpha Five version 10 Application Server.
- The Alpha Anywhere Application Server for IIS is not affected by this vulnerability.
- Alpha Five version 9 and prior have not been tested.
REMEDIATION:
Alpha Anywhere Application Server for IIS
The Alpha Anywhere Application Server for IIS is not subject to this vulnerability. No action is required.
Alpha Anywhere Classic Application Server
A fix for this security vulnerability is available now for build 4770, the most recent official release of Alpha Anywhere Application Server.
Click here to download now.
Additionally, prereleases beginning with build 4940 include this fix.
Prereleases are available from http://aadocuments.s3.amazonaws.com/...easeNotes.Html.
Alpha Five Version 11 Application Server
A fix for this security vulnerability in version 11 is available now for Alpha Five version 11 build 3381. Click here to download now. The downloaded ZIP file contains a single DLL that should be placed into your Application Server installation folder, overwriting the existing DLL file. No changes to your published applications will be required.
Any server operators with a version 11 release prior to build 3381 should update to that release immediately, then apply the above update.
Alpha Five Version 10 and prior
Support for Alpha Five version 10 ended in October 2011, as a result, a fix for this vulnerability will not be released. Any operators with Version 10 or prior servers still in use should upgrade those systems to Alpha Anywhere or Alpha Five version 11 immediately, and then apply the correct update listed above. Otherwise, continue using these unsupported versions at your risk.
Acknowledgments
This vulnerability was discovered while testing was performed on a server hosted at ZebraHost. The discovery was reported by Nate Battles at ZebraHost, who then worked closely with Alpha Software to duplicate the issue and verify the fix. Thank you to Nate Battles and Clive Swanepoel of ZebraHost.
Comment