Multiple IBM DB2 Security Vulnerabilities

Release date:
Updated on:

Affected Systems:
IBM DB2 9.x
Description:
--------------------------------------------------------------------------------
IBM DB2 is a large-scale commercial relational database system for e-commerce, commercial information, content management, customer relationship management, and other applications, it can run on AIX, HP-UX, Linux, Solaris, Windows, and other systems.

Multiple security vulnerabilities exist in earlier versions of IBM DB2 9.7 Fix Pack 6 (FP6, malicious local users can exploit some data to gain elevation of permissions, bypass certain security restrictions, and cause DOS.

1) An error exists in the included IBM Tivoli Monitoring Agent (ITMA), which can be exploited by local users to escalate permissions.

2) errors in DB2 Administration Server (DAS) can be exploited by authenticated users to escalate their permissions.

3) XML function errors can be exploited to cause DOS.

4) unknown details can be used to read certain tables.

5) errors in the XML function can be exploited by verified users to leak the XML file of the Instance users.

6) errors in processing DRDA requests can be exploited to create traps.

<* Source: vendor

Link: http://secunia.com/advisories/49437/
Http://www-304.ibm.com/support/docview.wss? Uid = swg1IC80729
Http://www-304.ibm.com/support/docview.wss? Uid = swg1IC79274
Http://www-304.ibm.com/support/docview.wss? Uid = swg1IC82234
Http://www-304.ibm.com/support/docview.wss? Uid = swg1IC81462
Http://www-304.ibm.com/support/docview.wss? Uid = swg1IC81380
*>

Suggestion:
--------------------------------------------------------------------------------
Vendor patch:

IBM
---
For this reason, IBM has released a Security Bulletin (IC80729) and corresponding patches:

IC80729: IC80729: SECURITY: remote escalation of privilege vulnerability in das.

Link: http://www-304.ibm.com/support/docview.wss? Uid = swg1IC80729