Skip to main content

IBM DB2 Multiple Vulnerabilities

Last Update Date: 26 Jun 2012 12:08 Release Date: 26 Jun 2012 5226 Views

RISK: Medium Risk

TYPE: Servers - Database Servers

TYPE: Database Servers

Multiple Vulnerabilities have been identified on IBM DB2 server, which could be exploited to escalate privilege, discloese sensitive infromation, and cause system crash.

  1. Vulnerability in IBM DB2 server products could allow a specially-crafted DRDA request to cause disruption to the server.
    The vulnerability exists in the Distributed Relational Database Architecture (DRDA) module that handles DRDA chaining. A malicious user with knowledge of DRDA could send a specially crafted request to a database server to cause disruptions or a crash.
  2. Vulnerability in IBM DB2 XML Feature could allow a remote attacker to view XML files owned by the DB2 instance owner.
    A security vulnerability in the DB2 XML Feature which could allow a malicious user to remotely exploit and view XML files owned by the DB2 instance owner. To exploit the vulnerability, the user would need to have valid security credentials, CONNECT privilege to the database and be able to execute a specially crafted SQL statement.
  3. Vulnerability in IBM DB2 could allow an authenticated user to view data from a table to which they do not have privilege.
    A security vulnerability which would allow an authenticated user to view data from a table to which they do not have authority to view. To exploit the vulnerability, the user would need to have valid security credentials to connect to the database and execute specially crafted SQL statements. To execute the SQL statements the user would need CREATEIN privileges to the database.

Impact

  • Denial of Service
  • Elevation of Privilege
  • Information Disclosure

System / Technologies affected

The following IBM DB2 DB2 V9.5 and V9.7 editions running on AIX, Linux, HP, Solaris and Windows:

  • IBM DB2 9.7 Express Edition
  • IBM DB2 9.7 Workgroup Server Edition
  • IBM DB2 9.7 Enterprise Server Edition
  • IBM DB2 9.7 Advanced Enterprise Server Edition
  • IBM DB2 Connect 9.7 Application Server Edition
  • IBM DB2 Connect 9.7 Enterprise Edition
  • IBM DB2 Connect 9.7 Unlimited Edition for System i
  • IBM DB2 Connect 9.7 Unlimited Edition for System z
  • IBM DB2 9.5 Express Edition
  • IBM DB2 9.5 Workgroup Server Edition
  • IBM DB2 9.5 Enterprise Server Edition
  • IBM DB2 9.5 Advanced Enterprise Server Edition
  • IBM DB2 Connect 9.5 Application Server Edition
  • IBM DB2 Connect 9.5 Enterprise Edition
  • IBM DB2 Connect 9.5 Unlimited Edition for System i
  • IBM DB2 Connect 9.5 Unlimited Edition for System z

The following IBM V9.8 editions running on AIX and Linux:

  • IBM DB2 pureScale Feature for Enterprise Server Edition

Solutions

Before installation of the software, please visit the software manufacturer web-site for more details.

  • In general, DB2 fix packs can be downloaded from the following site:
    http://www.ibm.com/support/docview.wss?uid=swg27007053
  • Mitigation:
    To exploit the vulnerability, the user would need to be able to connect to the
    database and execute an SQL statement. The exposure can be reduced by revoking
    CONNECT privilege from PUBLIC.

Vulnerability Identifier


Source


Related Link