IBM DB2 < 9 Fix Pack 3 / 8 Fix Pack 15 Multiple Vulnerabilities

critical Nessus Plugin ID 25905

Synopsis

The remote database server is affected by multiple vulnerabilities.

Description

According to its version, the installation of IBM DB2 running on the remote host is affected by one or more of the following issues :

- A local user may be able to overwrite arbitrary files, create arbitrary world-writeable directories, or gain root privileges via symlink attacks or specially crafted environment variables. (IY98210 / IY99261)

- A user may be able to continue to execute a method even once privileges for the method have been revoked.
(IY88226, version 8 only)

- There is an unspecified issue allowing for privilege elevation when DB2 'execs' executables while running as root. (IY98206 / IY98176)

- There is an unspecified vulnerability related to incorrect authorization routines. (JR25940, version 8 only)

- There is an unspecified vulnerability in 'AUTH_LIST_GROUPS_FOR_AUTHID'. (IZ01828, version 9.1 only)

- There is an unspecified vulnerability in the 'db2licm' and 'db2pd' tools. (IY97922 / IY97936)

- There is an unspecified vulnerability involving 'db2licd' and the 'OSSEMEMDBG' and 'TRC_LOG_FILE' environment variables. (IY98011 / IY98101)

- There is a buffer overflow involving the 'DASPROF' environment variable. (IY97346 / IY99311)

- There is an unspecified vulnerability that can arise during instance and FMP startup. (IZ01923 / IZ02067)

- The DB2JDS service may allow for arbitrary code execution without the need for authentication due to a stack overflow in an internal sprintf() call.
(IY97750, version 8 only)

- The DB2JDS service is affected by two denial of service issues that can be triggered by packets with an invalid LANG parameter or a long packet, which cause the process to terminate (version 8 only).

Note that there is currently insufficient information to determine to what extent the first set of issues overlaps the others.

Solution

Apply IBM DB2 version 9 Fix Pack 3 / 8.1 Fix Pack 15 / 8.2 Fix Pack 8 or later.

See Also

https://www.trustwave.com/Company/AppSecInc-is-now-Trustwave/

https://seclists.org/fulldisclosure/2007/Aug/313

https://seclists.org/fulldisclosure/2007/Aug/314

https://seclists.org/fulldisclosure/2007/Aug/315

https://seclists.org/fulldisclosure/2007/Aug/316

https://seclists.org/fulldisclosure/2007/Aug/317

https://seclists.org/fulldisclosure/2007/Aug/318

https://seclists.org/fulldisclosure/2007/Aug/319

https://seclists.org/bugtraq/2007/Oct/153

https://www-01.ibm.com/support/docview.wss?uid=swg21255607

http://www-1.ibm.com/support/docview.wss?uid=swg21255352

Plugin Details

Severity: Critical

ID: 25905

File Name: db2_9fp3.nasl

Version: 1.35

Type: remote

Family: Databases

Published: 8/20/2007

Updated: 4/11/2022

Configuration: Enable thorough checks

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: Critical

Base Score: 10

Temporal Score: 8.3

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 9.8

Temporal Score: 9.1

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Temporal Vector: CVSS:3.0/E:F/RL:O/RC:C

Vulnerability Information

CPE: cpe:/a:ibm:db2

Exploit Available: true

Exploit Ease: Exploits are available

Exploitable With

CANVAS (CANVAS)

Reference Information

CVE: CVE-2007-2582, CVE-2007-4270, CVE-2007-4271, CVE-2007-4272, CVE-2007-4273, CVE-2007-4275, CVE-2007-4276, CVE-2007-4417, CVE-2007-4418, CVE-2007-4423

BID: 23890, 25339, 26010

CWE: 119, 134, 22