en
brNews
Firebird security alert: 0-day vulnerability in old versions
Firebird Project has discovered critical security issues in old versions of all supported releases: if your version is equal or less than specified versions (with build number) 3.0.13.33809, 4.0.6.3203, 5.0.3.1651, you need to upgrade to the latest Firebird releases (3.0.13.33818, 4.0.6.3221, 5.0.3.1683).
Zero day vulnerability was found in all versions of Firebird with versions less than 3.0.13.33809, 4.0.6.3203, 5.0.3.1651 (it means that current releases on www.firebirdsql.org have it fixed).
Malicious user can cause DoS on firebird server sending specific sequence of bytes, login/password for server is not needed. To expoit the vulnerability, it is enough to send set of bytes to Firebird port, so recommendation is upgrade as soon as possible.
Special note for users of vanilla 2.5 - version 2.5 also suffers from this problem, but since it is not supported by Firebird Project, there will be no fix, so you need to upgrade as soon as possible, or you should consider to use HQbird, which supports 2.5.
For users of HQbird - the recent update HQbird 2024R2 Update 5 (https://ib-aid.com/en/download-hqbird) has all fixes for 5.0, 4.0, 3.0, but for 2.5 IBSurgeon will issue special fix as soon as possible. If you are using HQbird older than Update 5 - upgrade as soon as possible.
What to do
- Check version of your Firebird: for this run in command line some tool from your installation, for example, gstat.exe -z and check the full version. On Windows you can also do right-click on firebird.exe and see tab "Details".
- If you are not running the latest version - i.e., equal or higher than 3.0.13.33818, 4.0.6.3221, 5.0.3.1683, you are safe. If it is less - plan upgrade to the latest Firebird.
- If you are usng non-safe version, make sure that port 3050 is available only for trusted clients connections. Plan upgrade asap.