60East Vulnerability Note
AMPS 2015-01 (September 13, 2015)
Summary: 60East has become aware of a security vulnerability. This vulnerability affects replication links in the AMPS server, and could allow a replication transport to connect in cases where the transport’s user account is not entitled for replication logon.
Recommended Action: If you are using authentication on your replication links, 60East recommends immediately upgrading to a minimum version of 3.9.1.6 or 4.3.1.3 (no 5.X series releases are affected).
Affected Versions:
AMPS 3: versions prior to 3.9.1.6
AMPS 4: versions prior to 4.3.1.2
Details:
Affected versions of AMPS had a bug that affected logon entitlements for replication. The bug affects a user account that is not permitted to log on to a replication connection. AMPS would correctly fail the entitlement check the first time the user attempt to log on for replication. However, on subsequent attempts, AMPS incorrectly allowed the user to log on. The net result is that the replication logon permissions were not enforced if an instance using those permissions attempted to connect to AMPS more than once (which is the expected behavior for a replication connection), while the read/write entitlements continue to be enforced.
[Note: This bulletin was originally published with the title Vulnerability Note: AMPS 2015-01. The title has been changed to reflect the current naming system for AMPS security bulletins.]
Comments