IBM DB2 Multiple Vulnerabilities
Last Update Date:
26 Jun 2012 12:08
Release Date:
26 Jun 2012
5226
Views
RISK: Medium Risk
TYPE: Servers - Database Servers
Multiple Vulnerabilities have been identified on IBM DB2 server, which could be exploited to escalate privilege, discloese sensitive infromation, and cause system crash.
- Vulnerability in IBM DB2 server products could allow a specially-crafted DRDA request to cause disruption to the server.
The vulnerability exists in the Distributed Relational Database Architecture (DRDA) module that handles DRDA chaining. A malicious user with knowledge of DRDA could send a specially crafted request to a database server to cause disruptions or a crash. - Vulnerability in IBM DB2 XML Feature could allow a remote attacker to view XML files owned by the DB2 instance owner.
A security vulnerability in the DB2 XML Feature which could allow a malicious user to remotely exploit and view XML files owned by the DB2 instance owner. To exploit the vulnerability, the user would need to have valid security credentials, CONNECT privilege to the database and be able to execute a specially crafted SQL statement. - Vulnerability in IBM DB2 could allow an authenticated user to view data from a table to which they do not have privilege.
A security vulnerability which would allow an authenticated user to view data from a table to which they do not have authority to view. To exploit the vulnerability, the user would need to have valid security credentials to connect to the database and execute specially crafted SQL statements. To execute the SQL statements the user would need CREATEIN privileges to the database.
Impact
- Denial of Service
- Elevation of Privilege
- Information Disclosure
System / Technologies affected
The following IBM DB2 DB2 V9.5 and V9.7 editions running on AIX, Linux, HP, Solaris and Windows:
- IBM DB2 9.7 Express Edition
- IBM DB2 9.7 Workgroup Server Edition
- IBM DB2 9.7 Enterprise Server Edition
- IBM DB2 9.7 Advanced Enterprise Server Edition
- IBM DB2 Connect 9.7 Application Server Edition
- IBM DB2 Connect 9.7 Enterprise Edition
- IBM DB2 Connect 9.7 Unlimited Edition for System i
- IBM DB2 Connect 9.7 Unlimited Edition for System z
- IBM DB2 9.5 Express Edition
- IBM DB2 9.5 Workgroup Server Edition
- IBM DB2 9.5 Enterprise Server Edition
- IBM DB2 9.5 Advanced Enterprise Server Edition
- IBM DB2 Connect 9.5 Application Server Edition
- IBM DB2 Connect 9.5 Enterprise Edition
- IBM DB2 Connect 9.5 Unlimited Edition for System i
- IBM DB2 Connect 9.5 Unlimited Edition for System z
The following IBM V9.8 editions running on AIX and Linux:
- IBM DB2 pureScale Feature for Enterprise Server Edition
Solutions
Before installation of the software, please visit the software manufacturer web-site for more details.
- In general, DB2 fix packs can be downloaded from the following site:
http://www.ibm.com/support/docview.wss?uid=swg27007053 - Mitigation:
To exploit the vulnerability, the user would need to be able to connect to the
database and execute an SQL statement. The exposure can be reduced by revoking
CONNECT privilege from PUBLIC.
Vulnerability Identifier
Source
Related Link
Share with