Potential security vulnerability with Pervasive System Analyzer
Description
NOTES:
  • The PSA utility needs to be uninstalled from the server and all workstations.
  • Sage users do not need to be logged out of Sage CRE300 to uninstall PSQL System Analyser
  • The uninstall does not require a reboot of the server or wrokstation
To uninstall the PSA utility:
  1. From the Control Panel, select Programs and Features (This may also be labeled as Add or Remove Programs, depending on the version of windows that is installed.)
  2. Locate Pervasive or Actian (PSQL server or client engine) and select Uninstall/Change
  3. When prompted, select Modify
  4. Locate PSQL System Analyzer and use the drop-down option to select the "this feature will not be available" option
  5. Select Next and then Install to uninstall the PSA feature
Cause

The keyhelp.ocx file used by the PSA utility is flagged by security audits or analyzer utilities as a potentially vulnerable file.

In versions 16.1 or earlier, the file can permit an unauthorized user to remotely execute code on the machine where the Sage 300 CRE / Sage Estiming (Pervasive) application is running. The vulnerability could be exploited if a user opens a specially crafted file from a third party with the ActiveX component enable on the Sage 300 CRE / Sage Estimating (Pervasive) machine.

Resolution

The steps to resolve this issue depend on the which product(s) you are using:

  • If you are using ONLY Sage 300 Construction and Real Estate version 16.1 or earlier, do one of the following:
    • Upgrade to version 17.1 or version 18.1
    • Uninstall the PSA utility
  • If you are using BOTH Sage Estimating (Pervasive) and Sage 300 Construction and Real Estate version 16.1 or earlier, do one of the following:
    • Upgrade both products to version 17.1 (Note: there is no version 18.1 for Sage Estimating (Pervasive))
    • Uninstall the PSA utility
  • If you are using ONLY Sage Estimating (Pervasive) version 16.1 or earlier, do one of the following:
    • Upgrade to Sage Estimating (Pervasive) version 17.1
    • Uninstall the PSA utility
  • If you are using Sage Estimating (SQL) and upgraded directly from Sage Estimating (Pervasive) version 16.1 or earlier, uninstall the PSA utility.

For more information about the risk, read the article from the Actian Knowledgebase.

DocLink: How do I install Sage Estimating (Pervasive version) on the server or the workstations?
DocLink: How do I Download the Latest Sage 300 CRE Software Upgrade to a newer version?
Defect ID
Steps to duplicate
Related Articles