[ISN] IBM DB2 Flaws Found

InfoSec News isn at c4i.org
Mon Feb 14 05:25:53 EST 2005


By Lisa Vaas 
February 11, 2005

Several flaws have been discovered in IBM's DB2 Universal Database
that can be exploited to cause DoS attacks, to reveal sensitive
information, to read and manipulate file content, or to compromise
vulnerable systems.

An advisory posted Thursday on the bug-reporting site Secunia rates
the flaws as moderately critical, with IBM having already issued a
FixPak for DB2 versions 8.x.

IBM's advisory states that the vulnerabilities were discovered on Dec.  
10. The new vulnerabilities follow close on the heels of three FixPaks
that IBM released in October to address multiple vulnerabilities in
DB2 on Linux, Unix and Windows platforms.

The specifics on one of the flaws is that an error in the Windows
platform relating to the way system resources are used can be
exploited to cause a denial-of-service attack, to grab users'
passwords or to view other query results.

A second flaw has to do with processing of network messages while
establishing a database connection or instance attachment. Attackers
can exploit the flaw to execute arbitrary code.

Another flaw deals with missing restrictions in some XML Extender
user-defined functions. Exploits result in malicious users being able
to read or manipulate file content.

Finally, when creating certain databases within federated support,
attackers can exploit a flaw that allows them to execute arbitrary
code on vulnerable systems.

IBM advises all users of Unix, Linux and Windows platforms, as well as
users of DB2 UDB clients, servers and Connect gateway installations,
to install FixPaks 6a, 6b and 7a.

IBM advises all of the above users, plus users of DB2 XML Extender, to
install FixPak 8. Windows-specific fixes in FixPak 8 also apply to DB2
clients, but the risk isn't serious, according to IBM, and therefore
the fix isn't crucial.

In general, IBM advises DB2 UDB administrators to upgrade all DB2
client, server and Connect gateway instances on all supported
platforms to DB2 UDB Version 8.1 FixPak 8 "as soon as possible." The
only exceptions are DB2 UDB client instances on Version 8.1 FixPak 6a,
6b or 7a, which don't need to move up to the FixPak 8 level.

More information about the ISN mailing list