SAP SQL Anywhere

Main article: Database Management System (DMS)

About the product

SQL Anywhere is a relational database management system (DMS) originally developed by Sybase. In 2010, the product, together with the development team, was bought by the German company SAP, which is developing it.

SQL Anywhere - DBMS for data management and synchronization, for applications operating away from data centers. Since its inception, SQL Anywhere has been designed to provide a set of features specific to a standard enterprise database: high performance and reliable synchronization for networking. The product is designed for embedded and mobile systems.

Features and Benefits

• Based on SQL Anywhere, it is possible to develop high-performance applications that require minimal participation of the database administrator to support their support, and sometimes do not require it at all. This is achieved through SQL Anywhere, a self-tuning query optimizer, and dynamic cache size management functions. SQL Anywhere-based applications can handle 20,000 transactions per minute, serve thousands of users, and handle hundreds of gigabytes of data.

• SQL Anywhere includes robust enterprise-class synchronization mechanisms to ensure reliable and secure integration between the local application data and the enterprise database. This is the only synchronization technology that provides data synchronization between popular mobile devices and databases,,,, and Sybase Microsoft Oracle MySQL in the IBM enterprise.

• SQL Anywhere was designed from the very beginning to be embedded in server applications, remote workgroup applications, or mobile applications. It contains many self-service features such as automatic administration, backup and tuning, stealth mode, and an installation process that integrates with the application installation process - all of which make it exceptionally easy to deploy widely with any application program.

• By building data processing applications based on SQL Anywhere, developers will appreciate the advanced capabilities and flexibility of the platform, as well as compatibility with SQL and ANSI standards. Features such as OLAP, materialized views, snapshot isolation, full-text search, regular expressions.

Programming languages

C#, VB.NET, C, C++, ASP, Java, PHP, Perl

Trial versions

• SQL Anywhere Developer Edition
• SQL Anywhere Web Edition
• SQL Anywhere Educational Edition

History

2025: SAP DBMS turned out to be "leaky": using the password sewn into it, you can go to the built-in systems

In the twentieth of November, NCCC sent out a bulletin^[1] on the discovery of a critical vulnerability BDU:2025-14425^[2] in the SAP SQL Anywhere database." It belongs to the class of hard coding of registration data (CWE-798), which actually means the presence of credentials predefined by the manufacturer. The vulnerability received the highest hazard rating - 10 (out of 10).

𝓲

Фото: Ideogram

SAP SQL Anywhere is a complete solution that includes both the DBMS itself and tools for managing, synchronizing, and exchanging data. It provides quick development and deployment of applications in a remote office or mobile environment.

Previously, the product was called Sybase SQL Anywhere, but was renamed after the purchase of the German SAP American developer Sybase in 2010. At one time, Sybase products were quite popular with Russian users.

SAP SQL Anywhere is positioned as embedded relational DBMSs focused on working in built-in, mobile and distributed environments, especially in conditions of unstable or limited network connection, "Timur Tsybdenov, leading product engineer for SafeERP at Gazinformservice, clarified to TAdviser. - As for its application in Russia, this system is not widely used in comparison with more powerful and popular solutions such as SAP HANA, Oracle or Microsoft SQL Server.

According to the expert, the functionality of SQL Anywhere is limited in comparison with modern corporate databases, which makes it unsuitable for the implementation of complex and scalable projects. Today, SQL Anywhere is mainly found in legacy or highly specialized systems that have not yet been upgraded.

In addition, SAP itself has officially announced the termination of technical support for SQL Anywhere from December 31, 2028, which makes its further use inappropriate from the point of view of a long-term strategy for the development of the IT infrastructure.

The vulnerability is present in the SQL Anywhere Monitor database administration tool of the SAP SQL Anywhere database. It allows an intruder acting remotely to log in as an administrator and affect the confidentiality, integrity and availability of protected information.

We are talking about a drawback in the classification of CWE-798 - the use of hard-set credentials, - said Alexander Kolesov, head of development and research for TAdviser readers. " Bastion- What is this drawback? For ease of work, the developers saved a certain account and its password in the source code. This usually happens when a system is developed to make it easier to test it. After development, the account was apparently not deleted. This gives attackers a clear advantage - knowing the password, you can log into any system, since the given combination is hard-programmed for the system.

Theoretically, vulnerabilities of this type should be removed at the testing stage in a properly organized secure development cycle. The presence of such an error indicates the quality of the software development process at the manufacturer who is going to decommission this product. Moreover, the relatively recent version 17.0 is vulnerable. In mid-November, the bug was fixed by the developer - updates are distributed in the November package.

The vulnerability lies in the fact that if an attacker already has access to the server where the monitoring service works, he can get all the passwords/keys that the service uses inside himself in clear text and use them to implement several types of attacks, Tatiana Kutsovol, a leading research analyst at the Information Security Solutions Development Center for Software Security Control, clarified the situation for TAdviser. appScreener- For example, using legitimate accounts to access SQL Anywhere itself and other internal systems on behalf of a trusted account.

The same vulnerability can also be exploited for horizontal movement over the network after gaining primary access to internal services to switch to neighboring information systems. Also, the detected error can be used to escalate current privileges when using accounts with extended rights.

SAP SQL Anywhere in Russia is built into industry solutions, cash systems, mobile workplaces, ERP modules, medical and transport software, "Mikhail Timaev, head of IT Task technical presale, told TAdviser. - Therefore, the vulnerability associated with storing passwords in clear text affects not single installations, but application systems that work in the architecture. The main danger here is that access to unencrypted passwords gives the attacker direct access to the database and allows the attack to develop further.

The appearance of such an error is a good input to switch to more modern technological stacks. However, if this is impossible for some reason, then at least it is worth strictly controlling access to such inherited components. Tatyana Kutsovol also recommends restricting the rights of service accounts, protecting the process and memory so that it is impossible to extract secrets through memory analysis and similar research techniques, using secure communication channels between internal services to transmit sensitive information only in encrypted form.

2015: SAP releases SQL Anywhere version 17

In July, SAP introduced version 17 of the embedded SQL Anywhere^[3] database]. Some features of this version are:

• Adapting to IoT platforms. SQL Anywhere automatically detects changes in the deployment environment and optimizes performance.
• Supports many modern programming languages and environments, including stored procedures and JavaScript functions.
• Improved data encryption and isolation. Data remains protected when stored on peripherals and when synchronized with the data center, whether the data center is located locally or in the cloud.
• Reduce downtime associated with database maintenance and application upgrades. This was made possible by features such as online rebuild, dynamic start and stop of connection protocols and recovery at a certain point in time.

2011: SQL Anywhere OnDemand Edition

September 13, 2011 Sybase, Inc. has announced a new product designed to meet the demand of independent vendors software for simple data management tools and the deployment of multi-tenant applications at the facilities of service operators. SQL Anywhere OnDemand Edition provides a set of cloud-ready tools and features that enable providers ON to manage data for cloud applications to meet both their own needs and those of their customers. The announcement was made at the Sybase TechWave conference, held in conjunction with the ® SAP TechEd 2011 conference in Las Vegas (pc. Nevada) from September 12-16.

SQL Anywhere OnDemand Edition is the only cloud-based data management tool that enables ISVs to combine the management of databases used by application programs with the appropriate levels of data security and high-level management customers need (and can scale widely). Sybase is able to meet both needs with a pragmatic approach that allows software providers to isolate the data of different tenants from each other, while maintaining ease of management. SQL Anywhere OnDemand Edition enables software vendors to build, deploy, and manage cloud-based applications without compromise, thereby realizing the benefit of economies of scale with guaranteed isolation of customer data from extraneous software.

Independent software providers today need the ability to freely move their programs between public, private, and hybrid clouds - without being tied to any one cloud service operator. Many vendors operating applications running on their own capacities are concerned about maintaining and expanding the customer base without complicating the development process. Due to the fact that SQL Anywhere OnDemand Edition does not bind vendors to specific cloud services or data management architecture, they can create cloud applications that can function both in public clouds and at the vendor's capacities, in accordance with the individual needs of customers.

SQL Anywhere OnDemand Edition has the following features:

• Dynamic allocation of DB power - allocation and release of computing power on demand; the ability to share computing resources between different tenants for economies of scale; File-level data isolation of different tenants.
• Scaling of tenants - support for the operation of applications "Web scale" with an increase in the number of tenants to thousands.
• Atomic database of tenants - each database is maintained individually, the operation and backup are configured in accordance with the customer's requirements, as well as direct access of the customer; databases are in conditional locations with the exception of moving if necessary.
• Multi-tenant security - management of authority and authentication for each base is carried out independently; Tenant encryption is supported individually; closed information stores are isolated from all other tenants in the system.
• Fully relational DBMSs - the solution is based on the proven SQL Anywhere RDBMS, which has millions of installations and provides comprehensive support for SQL and relational data models.
• Cloud management - Designed to meet the needs of ISVs with thousands of databases, hundreds of servers, and multiple software and schema versions.

"ISVs are under intense pressure from corporate customers to get the on-demand convenience of application services, along with the flexibility and security inherent in their local application systems," said Terry Stepien, president of Sybase iAnywhere. - SQL Anywhere OnDemand Edition is a truly industry-unique offering. This product enables software vendors to provide customer-required levels of security and high-level management while ensuring ease of system management by flexibly combining the use of private clouds with public services to maximize protection against global failures of their own infrastructures. "

2010

SQL Anywhere 12

In July 2010, Sybase announced a new version of SQL Anywhere 12, a database management and synchronization system. The new version offers a number of innovations, including the ability to store and synchronize spatial data, support for iPhone devices, and synchronize large amounts of data.

One of the most significant improvements is the ability to synchronize large amounts of data. SQL Anywhere 12 can now effectively manage information flows from multiple mobile devices. The list of supported mobile platforms now includes Apple iPhone devices (in addition to Blackberry and Windows Mobile platforms).

The new Server Scale-Out feature introduced in the Advanced Edition reduces the burden on critical servers by transferring reporting and read-only tasks to concurrent servers. In addition, built-in self-management mechanisms are implemented, such as the Server Thread Auto-tuning function, which provides automatic adaptation of data streams to current loads.

SQL Anywhere 12 users are offered advanced spatial data support. The new version of the product supports geographic-bound queries, offers additional tools for managing and synchronizing spatial data, supports OGC and SQLMM standards, and has built-in mechanisms for exporting data to KML, GML and SVG formats.

The new tools included in the package will make it easier to monitor, diagnose, and deploy synchronization mechanisms to different client devices. Users will also be able to simulate any data synchronization operation before performing it directly.

Software developers will appreciate the product's closer compatibility with Oracle and MySQL databases, support for.NET 4.0 and Visual Studio 2010 development environments, and advanced full-text search and data filtering capabilities.

SAP acquires Sybase

The world's largest enterprise software developer, SAP acquired Sybase for $5.8 billion. The company was primarily known as one of the leading developers of DBMS and mobile applications for business.^[4]

Versions

• 1992 - Version 3
• 1994 - Version 4
• 1995 - Version 5
• 1998 - Version 6
• 1999 - Version 6.0.2
• 2000 - Version 7
• 2001 - Version 8
• 2003 - Version 9
• 2006 - Version 10
• 2008 - Version 11
• 2010 - Version 12

Database functions

• Scalable read-only database configurations
• Web-Based Database Server Monitoring
• Spatial data
• Sequence generator
• Support for fetch expressions from DML
• Row Level Lock
• High-performance, self-tuning, cost-based query optimizer
• Advanced query execution algorithms
• Dynamic Cache Sizing
• Materialized Views
• Isolation of images
• Full-Text Search
• Compression of columns
• Stored Procedures and Triggers in SQL and Java
• External stored procedures in ESQL, ODBC, Java, CLR (.NET), Perl and PHP
• Binary Large Object (BLOB) Support
• Import/export XML and SQLX functionality support
• Database mirroring and cluster support
• Real-time defragmentation of indexes and tables
• Real-time backup
• Event Scheduler and Handler
• In-memory mode
• Creating and Using Web Services
• Supports strong encryption for database files and data transferred over the network
• Table encryption, custom auditing, rules for creating passwords, SH256 hashing, Kerberos auto-integration
• FIPS 140-2 Compliance
• Built-in HTTP server
• Remote access to other DBMS and file system
• Support for On Line Analytical Processing (OLAP)
• Internationalization including NCHAR data type support, stress sign sensitivity, Unicode Collation Algorithm and Unicode ICU support
• Integration with Windows Performance Monitor

Development Features

• Spatial data
• Application Profiling Utilities
• Tools for graphical design of DB diagram and for execution of reverse design operation
• Graphical tools for managing databases and viewing its objects
• Graphical view of the query plan, query editor, built-in stored procedure debugger, profiler and tool for monitoring data synchronization, graphical view of spatial data
• Index Consultant
• Native database access via ADO.NET, OLE DB, ODBC3.5/level 2, JDBC 3.0, Embedded SQL and Sybase Open Client
• Supports a wide range of development tools including Sybase PowerBuilder, Microsoft Visual Studio, Borland Delphi, Eclipse, and more
• Support for.NET 2.0 and higher
• Supports a wide range of programming languages, including C#, VB.NET, C/C + +, ASP, ASP.NET, JSP, Java, PHP, and Perl DBD
• Advanced OLAP support, including rollup, recursive merging, intersection, and index merging
• Access Support for People with Disabilities under the'Rehabilitation' Act, Section 508 issued by the U.S. Federal Government

Database Settings

• Number of databases per server: 255
• Base Size - Limited only by memory size, disk space, and platform constraints
• Number of characters in database object names: 128

Table Options

• Indexes per table: up to 2048
• Table Size - Limited to file size only
• Tables in the database: up to 4 billion
• Columns in the table: 45000
• Field size: 2 GB
• Number of entries in table - limited to file size only
• Row Size - Limited to file size only

Trigger and Stored Procedure Options

• Maximum stored procedure size: 2 GB
• Stored procedures in the database: up to 4 billion
• Triggers in the base: up to 4 billion
• Nesting Level - Limited to disk space and server memory

Platforms

• Windows, Windows CE, Mac OS X, most UNIX platforms, including Linux, AIX, HP-UX, and Solaris.

Links

Official website

Notes