|
IBM DB2 Multiple Vulnerabilities
|
|
Secunia Advisory:
|
SA31635
|
|
|
Release Date:
|
2008-08-27
|
|
Last Update:
|
2008-09-17
|
|
Popularity:
|
2,206 views
|
|
|
Critical:
|
Moderately critical
|
|
Impact:
|
Privilege escalation
DoS
System access
|
|
Where:
|
From local network
|
|
Solution Status:
|
Vendor Patch
|
|
| Software: | IBM DB2 9.x
|
|
|
Subscribe:
|
Instant alerts on relevant vulnerabilities 
|
|
| CVE reference: | CVE-2008-2154
CVE-2008-3852
|
|
Description:
Some vulnerabilities have been reported in IBM DB2, which can be exploited by malicious users to cause a DoS (Denial of Service) or to perform certain actions with escalated privileges, or by malicious people to cause a DoS or compromise a vulnerable system.
1) An unspecified error exists in the deployment of CLR stored procedures of IBM database add-ins for Visual Studio and can be exploited to cause a DoS or gain escalated privileges.
2) A boundary error in the DAS server code can potentially be exploited to cause a DoS or compromise a vulnerable system.
For more information see vulnerability #4 in:
SA31787
3) An error in "INSTALL_JAR" can be exploited by malicious users to perform certain actions with escalated privileges.
For more information see vulnerability #5 in:
SA31787
The vulnerability is reported in versions prior to 9.1 Fixpak 5 and 9.5 Fixpak 2.
4) An unspecified error related to the processing of CONNECT and ATTACH requests can be exploited to cause a DoS.
This is related to vulnerability #1 in:
SA31787
The vulnerability is reported in versions prior to 9.1 FP 5.
Solution:
IBM DB2 9.1:
Update to Fixpak 5.
IBM DB2 9.5:
Update to Fixpak 2.
Provided and/or discovered by:
1) Martin Rakhmanov, Application Security Inc.
Changelog:
2008-08-29: Updated Advisory with additional information from the vendor. Lowered criticality.
2008-09-10: Added vulnerability #2 - #4. Raised criticality. Added link to "Original Advisory" section. Updated credits section.
2008-09-17: Added link to Application Security Inc. Updated credits section. Added CVE reference.
Original Advisory:
IBM (JR28431,JR28432, IZ22188, IZ22190, IZ21983, IZ22143):
http://www-01.ibm.com/support/docview.wss?uid=swg21293566
http://www-01.ibm.com/support/docview.wss?uid=swg1JR28431
http://www-01.ibm.com/support/docview.wss?uid=swg1JR28432
http://www-01.ibm.com/support/docview.wss?uid=swg21318189
Application Security Inc.
http://www.appsecinc.com/resources/alerts/db2/2008-05.shtml
Other References:
SA31787:
http://secunia.com/advisories/31787/
|
|
|
Track this Secunia Advisory
|
Customers of the Secunia Vulnerability Intelligence solutions will automatically receive updates when new information regarding this advisory is released.
Read more about our Vulnerability Intelligence solutions and what they can do for you and your company.
|
|
|
About this Secunia Advisory
|
Please note: The information that this Secunia Advisory is based on comes from a third party unless stated otherwise.
Secunia collects, validates, and verifies all vulnerability reports issued by security research groups, vendors, and others.
|
