Hi Allan,

Sage 300 CRE version 20.5 was released in December which includes an updated version of Actian (Pervasive) PSQL 12.11 - you can find the links here:

https://www.sagecity.com/us/sage_construction_and_real_estate/f/sage-cre-announcements-news-and-tips/178554/sage-300-cre-announcing-the-2021-year-end-version

You can also subscribe to the Sage 300 CRE Announcements, News, and Alerts forum to be notified when a new release is available:

https://www.sagecity.com/us/sage_construction_and_real_estate/f/sage-cre-announcements-news-and-tips

Thanks!

Hi Jesse, Thanks for the reply, however I tried to search through the knowledge base and the release note, I couldn't find the PSQL 12.11 mentioned in version 20.5. Maybe I missed out somewhere, do you happened to know which part indicate on the PSQL portion, as my cyber team is quite particular on this information.

I also cross check with Sage Support, they are not sure about the PSQL versioning vulnerability fixes too, they just ask me to wait for the upcoming release note.

Hi Allan,

I did some checking into this - PSQL 12.11 was a patch that was released by Actian in 2017. We implemented that patch in version 17 or 18 (I'm still getting clarification as to exactly when).

When you install Sage 300 CRE, Actian PSQL 12 installs along with the patch, however if for some reason Actian PSQL 12 is installed or re-installed separately, then the patch needs to also be installed.

You can find the patches for both the server and client PSQL engines in the install folder on the server:

\TIMBERLINE OFFICE\9.5\Accounting\WinInst\Prerequisites

If you need assistance with the patches and you have an active support plan, you can reach out to Sage Support.

Thanks!

Hi Jesse,

Does the PSQL Version Vulnerability CVE-2017-11757 resolved in this v12 SP1? As this is what I found in the web regards to this vulnerability:- cve.mitre.org/.../cvename.cgi

I believe we did not reinstalled separately, because PSQL was installed together with Sage.

Hi Jesse, Do you know whether the Vulnerability has been resolved in the PSQL v12SP1 by Sage?

Hi Alan,

As Jesse stated, the version of Sage 300 CRE you're running (20.4) comes with Pervasive Version 12.11.027. However, if the version of Actian PSQL v12 Server Engine SP1' installed on your Server shows as 12.10.xxx in Programs and Features, someone manually installed Pervasive without applying Pervasive SP1 Patch (12.11.0.27). 

To update to version 12.11.027, follow Steps 3-4 in Option 3 of Knowledgebase Article  'How do I manually install Actian PSQL version 12?'

Thanks,

Sage Support

Hi, with the version running Sage 300 v20.4 in Pervasive Version 12.11.027, does this meant it resolved the vulnerability mentioned?

Does Pervasive Version 12.11.027 remediated Vulnerability CVE-2017-11757

Hi Sage Support, any confirmation or documentation that mentioned Pervasive Version 12.11.027 remediated Vulnerability CVE-2017-11757 

CVE-2017-11757 : Heap-based buffer overflow in Actian Pervasive PSQL v12.10 and Zen v13 allows remote attackers to execute arbitrary code (cvedetails.com)

Hi Allan, I have confirmed that this issue was resolved with v12.11.20, which is included in 12.11.027. See the link below for response from Actian.

https://communities.actian.com/s/article/Actian-Security-Vulnerabilities-Notice11-Sep-2017